Puppet Server Version: 6.11.1
OS Name/Version: Debian GNU/Linux 10 (buster)
The default value for the webserver's client-auth setting is need: https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/src/puppetlabs/trapperkeeper/services/webserver/jetty9_config.clj#L75 (documentation)
But the default /etc/puppetlabs/puppetserver/conf.d/webserver.conf, that comes with the Debian package from apt.puppetlabs.com at least, has client-auth: want. This seems wrong, and less secure than it should be. Typically I would expect explicitly-configured settings in default configuration files to match built-in defaults, meaning you could remove the default config file and nothing would change.
Also, an example in the documentation has a comment that seems to imply that the default should be need (or maybe that's what it used to be); see
The default webserver.conf seems to be here: https://github.com/puppetlabs/puppetserver/blob/master/ezbake/config/conf.d/webserver.conf