2014-05-28 23:20 GMT+02:00 chili_confits <nginx-forum@nginx.us>:
> I have enabled gzip with
> ...
> gzip on;
> gzip_http_version 1.0;
> gzip_vary on;
> ...
> to satisfy incoming HTTP 1.0 requests.
>
> In a very similiar setup which got OWASP-evaluated, I read this - marked as
> a defect:
> "The web server sent a Vary header, which indicates that server-driven
> negotiation was done to determine which content should be delivered. This
> may indicate that different content is available based on the headers in the
> HTTP request."
> IMHO this is a false positive ...

Do not suppress header »Vary« or you will run into problems with
proxies, which would otherwise always serve the file gzip-ped
regardless of a requester indicating support or lack thereof.

Nginx does no content negotiation to the extend which would reveal
that »/config.inc« exists if »/config« were requested with the intend
to get »/config.css«. As you can see, even this example is
far-fetched.

--
Mark

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx