Header Vary: Accept-Encoding - security risk ?

W-Mark Kubacki wmark+nginx at hurrikane.de
Thu May 29 15:48:21 UTC 2014

2014-05-28 23:20 GMT+02:00 chili_confits <nginx-forum at nginx.us>:
> I have enabled gzip with
>   ...
>   gzip on;
>   gzip_http_version 1.0;
>   gzip_vary on;
>   ...
> to satisfy incoming HTTP 1.0 requests.
> In a very similiar setup which got OWASP-evaluated, I read this - marked as
> a defect:
> "The web server sent a Vary header, which indicates that server-driven
> negotiation was done to determine which content should be delivered. This
> may indicate that different content is available based on the headers in the
> HTTP request."
> IMHO this is a false positive ...

Do not suppress header »Vary« or you will run into problems with
proxies, which would otherwise always serve the file gzip-ped
regardless of a requester indicating support or lack thereof.

Nginx does no content negotiation to the extend which would reveal
that »/config.inc« exists if »/config« were requested with the intend
to get »/config.css«. As you can see, even this example is


More information about the nginx mailing list