On second thought: localhost port 3142 is unprivileged and thus a local user could fire up a fake server. The acngtool only wants to trigger something at the server but to do so generic HTTP processing is involved. This HTTP processing is done with seemingly custom HTTP handling code in source/dlcon.cc. It also supports HTTP chunked encoding which has been a source of security issues in other packages in the past. A first look into the handling of this looks okay in the code.