Still not convinced by this; security risk should be addressed by only doing this if GET is the only method registered for that uri (part of #13). Also don't think it's appropriate for the only way to do this to be middleware that's aware of the routing table.

That said, some potential improvements:

• consider the routing table invalid and raise an error if a path has methods-other-than-GET but no HEAD responder; this should probably be done for correctness whether the HEAD -> GET rewrite is there or not
• make it opt in

Also don't think it's appropriate for the only way to do this to be middleware that's aware of the routing table.

a middlware doesn't actually need the routing table in order to replicate this, it just needs a "matcher" ( can be the base router in hack-router ) : https://github.com/nuxed/framework/blob/rx/src/Nuxed/Http/Router/Middleware/ImplicitHeadMiddleware.hack#L6-L87

To be safe and avoid the same same GET/POST -> HEAD issue even if it's multiple controllers or even different patterns that matcher must be the routing table