Welcome! Log In Create A New Profile

Advanced

Re: Header Vary: Accept-Encoding - security risk ?

W-Mark Kubacki
May 29, 2014 11:50AM
2014-05-28 23:20 GMT+02:00 chili_confits <nginx-forum@nginx.us>:
> I have enabled gzip with
> ...
> gzip on;
> gzip_http_version 1.0;
> gzip_vary on;
> ...
> to satisfy incoming HTTP 1.0 requests.
>
> In a very similiar setup which got OWASP-evaluated, I read this - marked as
> a defect:
> "The web server sent a Vary header, which indicates that server-driven
> negotiation was done to determine which content should be delivered. This
> may indicate that different content is available based on the headers in the
> HTTP request."
> IMHO this is a false positive ...

Do not suppress header »Vary« or you will run into problems with
proxies, which would otherwise always serve the file gzip-ped
regardless of a requester indicating support or lack thereof.

Nginx does no content negotiation to the extend which would reveal
that »/config.inc« exists if »/config« were requested with the intend
to get »/config.css«. As you can see, even this example is
far-fetched.

--
Mark

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Header Vary: Accept-Encoding - security risk ?

chili_confits May 28, 2014 05:20PM

Re: Header Vary: Accept-Encoding - security risk ?

Maxim Dounin May 29, 2014 11:20AM

Re: Header Vary: Accept-Encoding - security risk ?

W-Mark Kubacki May 29, 2014 11:50AM

Re: Header Vary: Accept-Encoding - security risk ?

B.R. May 29, 2014 02:30PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 74
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready