Welcome! Log In Create A New Profile

Advanced

Header Vary: Accept-Encoding - security risk ?

May 28, 2014 05:20PM
Dear list,

I have enabled gzip with
...
gzip on;
gzip_http_version 1.0;
gzip_vary on;
...
to satisfy incoming HTTP 1.0 requests.

In a very similiar setup which got OWASP-evaluated, I read this - marked as a defect:
"The web server sent a Vary header, which indicates that server-driven negotiation was done to determine which content should be delivered. This may indicate that different content is available based on the headers in the HTTP request."
IMHO this is a false positive ...

This is what I send:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 27 May 2014 17:55:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Content-Length: ...
...

What do you think ?
SubjectAuthorPosted

Header Vary: Accept-Encoding - security risk ?

chili_confitsMay 28, 2014 05:20PM

Re: Header Vary: Accept-Encoding - security risk ?

Maxim DouninMay 29, 2014 11:20AM

Re: Header Vary: Accept-Encoding - security risk ?

W-Mark KubackiMay 29, 2014 11:50AM

Re: Header Vary: Accept-Encoding - security risk ?

B.R.May 29, 2014 02:30PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 120
Record Number of Users: 4 on November 24, 2014
Record Number of Guests: 377 on November 23, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready