Header Vary: Accept-Encoding - security risk ?
chili_confits
nginx-forum at nginx.us
Wed May 28 21:20:54 UTC 2014
Dear list,
I have enabled gzip with
...
gzip on;
gzip_http_version 1.0;
gzip_vary on;
...
to satisfy incoming HTTP 1.0 requests.
In a very similiar setup which got OWASP-evaluated, I read this - marked as
a defect:
"The web server sent a Vary header, which indicates that server-driven
negotiation was done to determine which content should be delivered. This
may indicate that different content is available based on the headers in the
HTTP request."
IMHO this is a false positive ...
This is what I send:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 27 May 2014 17:55:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Content-Length: ...
...
What do you think ?
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,250449,250449#msg-250449
More information about the nginx
mailing list