diff --git a/.sai.json b/.sai.json
index 0105b0e65..f6f515d6b 100644
--- a/.sai.json
+++ b/.sai.json
@@ -41,7 +41,7 @@
 			"default": false
 		},
 		"windows-10/x86_64-amd/msvc": {
-			"build": "mkdir build && cd build && set SAI_CPACK=\"-G ZIP\" && cmake .. -DLWS_OPENSSL_LIBRARIES=\"C:\\Program Files\\OpenSSL\\lib\\libssl.lib;C:\\Program Files\\OpenSSL\\lib\\libcrypto.lib\" -DLWS_OPENSSL_INCLUDE_DIRS=\"C:\\Program Files\\OpenSSL\\include\" -DLWS_EXT_PTHREAD_INCLUDE_DIR=\"C:\\Program Files (x86)\\pthreads\\include\" -DLWS_EXT_PTHREAD_LIBRARIES=\"C:\\Program Files (x86)\\pthreads\\lib\\x64\\libpthreadGC2.a\" ${cmake} && cmake --build . --config DEBUG && set CTEST_OUTPUT_ON_FAILURE=1 && ctest . -C DEBUG -j4 --output-on-failure",
+			"build": "mkdir build && cd build && set SAI_CPACK=\"-G ZIP\" && cmake .. -DLWS_OPENSSL_LIBRARIES=\"C:\\Program Files\\OpenSSL\\lib\\libssl.lib;C:\\Program Files\\OpenSSL\\lib\\libcrypto.lib\" -DLWS_OPENSSL_INCLUDE_DIRS=\"C:\\Program Files\\OpenSSL\\include\" -DLWS_EXT_PTHREAD_INCLUDE_DIR=\"C:\\Program Files (x86)\\pthreads\\include\" -DLWS_EXT_PTHREAD_LIBRARIES=\"C:\\Program Files (x86)\\pthreads\\lib\\x64\\libpthreadGC2.a\" ${cmake} && cmake --build . --config DEBUG && set CTEST_OUTPUT_ON_FAILURE=1 && ctest . -C DEBUG -j1 --output-on-failure",
 			"default": false
 		},
 		"windows-10/x86_64-amd/mingw32": {
diff --git a/include/libwebsockets/lws-secure-streams-policy.h b/include/libwebsockets/lws-secure-streams-policy.h
index 47af55579..516075ef1 100644
--- a/include/libwebsockets/lws-secure-streams-policy.h
+++ b/include/libwebsockets/lws-secure-streams-policy.h
@@ -165,9 +165,9 @@ typedef struct lws_ss_metadata {
 	void			*value__may_own_heap;
 	size_t			length;
 
-	uint8_t			value_on_lws_heap; /* proxy + rx metadata does this */
-	uint8_t			value_is_http_token; /* valid if set by policy */
 	uint8_t			value_length; /* only valid if set by policy */
+	uint8_t			value_is_http_token; /* valid if set by policy */
+	uint8_t			value_on_lws_heap:1; /* proxy + rx metadata does this */
 #if defined(LWS_WITH_SECURE_STREAMS_PROXY_API)
 	uint8_t			pending_onward:1;
 #endif
diff --git a/include/libwebsockets/lws-secure-streams.h b/include/libwebsockets/lws-secure-streams.h
index e48cba6c5..24344f421 100644
--- a/include/libwebsockets/lws-secure-streams.h
+++ b/include/libwebsockets/lws-secure-streams.h
@@ -310,6 +310,16 @@ enum {
 	 * we are an accepted connection from a server's listening socket */
 };
 
+typedef lws_ss_state_return_t (*lws_sscb_rx)(void *userobj, const uint8_t *buf,
+					     size_t len, int flags);
+typedef lws_ss_state_return_t (*lws_sscb_tx)(void *userobj,
+					     lws_ss_tx_ordinal_t ord,
+					     uint8_t *buf, size_t *len,
+					     int *flags);
+typedef lws_ss_state_return_t (*lws_sscb_state)(void *userobj, void *h_src,
+			       lws_ss_constate_t state,
+			       lws_ss_tx_ordinal_t ack);
+
 typedef struct lws_ss_info {
 	const char *streamtype; /**< type of stream we want to create */
 	size_t	    user_alloc; /**< size of user allocation */
@@ -319,15 +329,12 @@ typedef struct lws_ss_info {
 	/**< offset of opaque user data ptr in user_alloc type, set to
 	     offsetof(mytype, opaque_ud_member) */
 
-	lws_ss_state_return_t (*rx)(void *userobj, const uint8_t *buf,
-				    size_t len, int flags);
+	lws_sscb_rx rx;
 	/**< callback with rx payload for this stream */
-	lws_ss_state_return_t (*tx)(void *userobj, lws_ss_tx_ordinal_t ord,
-				    uint8_t *buf, size_t *len, int *flags);
+	lws_sscb_tx tx;
 	/**< callback to send payload on this stream... 0 = send as set in
 	 * len and flags, 1 = do not send anything (ie, not even 0 len frame) */
-	lws_ss_state_return_t (*state)(void *userobj, void *h_src /* ss handle type */,
-			      lws_ss_constate_t state, lws_ss_tx_ordinal_t ack);
+	lws_sscb_state state;
 	/**< advisory cb about state of stream and QoS status if applicable...
 	 * h_src is only used with sinks and LWSSSCS_SINK_JOIN/_PART events.
 	 * Return nonzero to indicate you want to destroy the stream. */
@@ -654,12 +661,8 @@ lws_ss_server_ack(struct lws_ss_handle *h, int nack);
  * to the default when the transaction wanting it is completed.
  */
 LWS_VISIBLE LWS_EXTERN void
-lws_ss_change_handlers(struct lws_ss_handle *h,
-	int (*rx)(void *userobj, const uint8_t *buf, size_t len, int flags),
-	int (*tx)(void *userobj, lws_ss_tx_ordinal_t ord, uint8_t *buf,
-		  size_t *len, int *flags),
-	int (*state)(void *userobj, void *h_src /* ss handle type */,
-		     lws_ss_constate_t state, lws_ss_tx_ordinal_t ack));
+lws_ss_change_handlers(struct lws_ss_handle *h, lws_sscb_rx rx, lws_sscb_tx tx,
+		       lws_sscb_state state);
 
 /**
  * lws_ss_add_peer_tx_credit() - allow peer to transmit more to us
diff --git a/lib/roles/http/header.c b/lib/roles/http/header.c
index 7597824a7..2eed54ff7 100644
--- a/lib/roles/http/header.c
+++ b/lib/roles/http/header.c
@@ -48,7 +48,7 @@ lws_http_string_to_known_header(const char *s, size_t slen)
 		if (!strncmp(set[n], s, slen))
 			return n;
 
-	return -1;
+	return LWS_HTTP_NO_KNOWN_HEADER;
 }
 
 int
diff --git a/lib/roles/http/private-lib-roles-http.h b/lib/roles/http/private-lib-roles-http.h
index 716729985..d8d9fc17e 100644
--- a/lib/roles/http/private-lib-roles-http.h
+++ b/lib/roles/http/private-lib-roles-http.h
@@ -94,6 +94,8 @@ void
 lws_ranges_reset(struct lws_range_parsing *rp);
 #endif
 
+#define LWS_HTTP_NO_KNOWN_HEADER 0xff
+
 /*
  * these are assigned from a pool held in the context.
  * Both client and server mode uses them for http header analysis
diff --git a/lib/secure-streams/policy-common.c b/lib/secure-streams/policy-common.c
index 91f73821e..9f5483e5f 100644
--- a/lib/secure-streams/policy-common.c
+++ b/lib/secure-streams/policy-common.c
@@ -113,7 +113,7 @@ lws_ss_get_metadata(struct lws_ss_handle *h, const char *name,
 lws_ss_metadata_t *
 lws_ss_get_handle_metadata(struct lws_ss_handle *h, const char *name)
 {
-	int n = 0;
+	int n;
 
 	for (n = 0; n < h->policy->metadata_count; n++)
 		if (!strcmp(name, h->metadata[n].name))
diff --git a/lib/secure-streams/policy-json.c b/lib/secure-streams/policy-json.c
index 58850e996..ea3b159c6 100644
--- a/lib/secure-streams/policy-json.c
+++ b/lib/secure-streams/policy-json.c
@@ -670,8 +670,8 @@ lws_ss_policy_parser_cb(struct lejp_ctx *ctx, char reason)
 #if defined(LWS_ROLE_H1) || defined(LWS_ROLE_H2)
 		/*
 		 * Check the metadata value part to see if it's a well-known
-		 * http header... if so, 0xff means no header string match else
-		 * it's the well-known header index
+		 * http header... if so, LWS_HTTP_NO_KNOWN_HEADER (0xff) means
+		 * no header string match else it's the well-known header index
 		 */
 		a->curr[LTY_POLICY].p->metadata->value_is_http_token = (uint8_t)
 			lws_http_string_to_known_header(ctx->buf, ctx->npos);
diff --git a/lib/secure-streams/protocols/ss-h1.c b/lib/secure-streams/protocols/ss-h1.c
index 0c6927edd..c95a22d6d 100644
--- a/lib/secure-streams/protocols/ss-h1.c
+++ b/lib/secure-streams/protocols/ss-h1.c
@@ -236,7 +236,7 @@ lws_extract_metadata(lws_ss_handle_t *h, struct lws *wsi)
 
 	while (polmd) {
 
-		if (polmd->value_is_http_token != 0xff) {
+		if (polmd->value_is_http_token != LWS_HTTP_NO_KNOWN_HEADER) {
 
 			/* it's a well-known header token */
 
@@ -299,8 +299,8 @@ lws_extract_metadata(lws_ss_handle_t *h, struct lws *wsi)
 					}
 
 					/*
-					 * copy the named custom header value into the
-					 * malloc'd buffer
+					 * copy the named custom header value
+					 * into the malloc'd buffer
 					 */
 
 					if (lws_hdr_custom_copy(wsi, p, n + 1,