Go 1.13.1 and Go 1.12.10 released, fixes a security issue, as follows:
net / http accepting invalid (by net / textproto) of the HTTP / 1.1 header and standardization, there will be a space before the colon, in violation of RFC 7230.
Go if a server behind a reverse proxy is not common use, the agent accepts and forwards these invalid headers, but not for these invalid headers standardization, reverse proxy server will be different from each other and explain these headers. This may cause the filter or bypass vulnerability request (request smuggling), if the request is from a different client agent upstream multiplexed onto the same connection, resulting in vulnerability request. These headers are now invalid server refused Go, Go and passed to the client application in the absence of standardization.
Check the release notes for more information:
https://groups.google.com/forum/m/#!topic/golang-announce/cszieYyuL9Q