<div dir="ltr">expires -1;<br><br>Does not create an "Expires: -1" header.<br><br><br>It should create:<br><br>Expires: Thu, 01 Jan 1970 00:00:00 GMT<br><br><br>A time in the “Expires” field is computed as a sum of the current time and time specified in the directive. If the modified parameter is used (0.7.0, 0.6.32) then time is computed as a sum of the file’s modification time and time specified in the directive.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 1, 2014 at 5:06 AM, Kristian Erik Hermansen <span dir="ltr"><<a href="mailto:kristian.hermansen@gmail.com" target="_blank">kristian.hermansen@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">привет!<br>
<div class=""><br>
On Thu, Jul 31, 2014 at 5:25 AM, Maxim Dounin <<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>> wrote:<br>
> We intentionally avoid various "security recommendations" except<br>
> via providing appropriate defaults.<br>
><br>
> People tend to have different ideas of what security is, and how<br>
> it should be achieved. Additionally, all such recommendations<br>
> tend to become stale in a very short period of time.<br>
<br>
</div>How do you define "very short period of time"? These are standards<br>
that will remain effectively indefinitely.<br>
<div class=""><br>
> Goal of the sample configuration file is to show how to configure<br>
> things, not to give any recommendations.<br>
<br>
</div>And I thought that it was useful to be secure by default, rather than<br>
insecure by default. If nginx would like to take the stance that<br>
security should be avoided while preferring ease of use, well OK then,<br>
but state that publicly here and take ownership of that stance so that<br>
I can reference your lack of commitment.<br>
<div class=""><br>
> Cache-related headers are either invalid (Expires syntax doesn't<br>
> allow "-1" as a valid value, and "Pragma: no-cache" behaviour is<br>
> unspecified when used in a response) or just silly (Cache-Control<br>
> in question disables caching, which is irrelevant for security in<br>
> most cases, but will make things much slower).<br>
<br>
</div>If you don't agree that "Expires '-1'" is valid, then maybe you should<br>
update your own internal documentation and stop recommending it, but I<br>
think your stance is incorrect. It is not only valid, but recommended.<br>
<br>
<a href="http://nginx.org/en/docs/http/ngx_http_headers_module.html" target="_blank">http://nginx.org/en/docs/http/ngx_http_headers_module.html</a><br>
<br>
The Pragma / Cache-Control options are actually very relevant,<br>
especially in corporate environments. For instance, most corporations<br>
force outbound connections via an internal web proxy. By caching<br>
content served over HTTPS, an internal attacker can infer content via<br>
the proxy cache, which is a security issue. Sensitive content should<br>
not be cached, I hope we agree. And I request you consult RFC2616 if<br>
you think the behavior is "unspecified" as you surely aren't<br>
considering the same RFCs I am referencing.<br>
<br>
<a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html" target="_blank">http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html</a><br>
<div class=""><br>
> Moreover, there is the "expires" directive to control<br>
> cache-related headers, and it should be used in a proper nginx<br>
> configuration instead, see <a href="http://nginx.org/r/expires" target="_blank">http://nginx.org/r/expires</a>.<br>
<br>
</div>Great. Again, see my comments above regarding using it. You contradict<br>
yourself...<br>
<div class="im HOEnZb">--<br>
Regards,<br>
<br>
Kristian Erik Hermansen<br>
<a href="https://www.linkedin.com/in/kristianhermansen" target="_blank">https://www.linkedin.com/in/kristianhermansen</a><br>
<a href="https://google.com/+KristianHermansen" target="_blank">https://google.com/+KristianHermansen</a><br>
<br>
</div><div class="HOEnZb"><div class="h5">_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a></div></div></blockquote></div><br></div>