It is not technically illegal for a GET request to have a non-zero Content-Length, but it is unusual, and generally undefined how a server should handle it.

One idea I can think of is to use the server's OnHeadersAvailable event to detect this condition and either reject the request outright (using the OnHeadersBlocked event if you want to customize the response), or to assign a non-infinite ReadTimeout to the connection so the server doesn't freeze indefinitely waiting for body data that won't arrive. In which case, you might choose to assign the timeout in the server's OnConnect event instead so it applies to all requests unconditionally (probably not a bad thing to do in general).

In the meantime, I will consider adding logic to TIdHTTPServer to just flat out reject GET requests that report a non-empty message body.

Thank you very much for you reply, Remy! Unfortunately I was unable to identify http verb (to check it if is a GET) inside OnHeadersAvailable event handler since there is no easy access to RequestInfo.

Is there any way to check this on nHeadersAvailable event handler ?

Unfortunately, no. That will have to be added as a new feature (#379). However, in the meantime, you do have access to the URL that is being requested, so if you know the provided URL only handles GET requests then you can reject the request if the provided headers have a non-zero Content-Length.