Header Vary: Accept-Encoding - security risk ?
Maxim Dounin
mdounin at mdounin.ru
Thu May 29 15:18:56 UTC 2014
Hello!
On Wed, May 28, 2014 at 05:20:54PM -0400, chili_confits wrote:
> Dear list,
>
> I have enabled gzip with
> ...
> gzip on;
> gzip_http_version 1.0;
> gzip_vary on;
> ...
> to satisfy incoming HTTP 1.0 requests.
>
> In a very similiar setup which got OWASP-evaluated, I read this - marked as
> a defect:
> "The web server sent a Vary header, which indicates that server-driven
> negotiation was done to determine which content should be delivered. This
> may indicate that different content is available based on the headers in the
> HTTP request."
> IMHO this is a false positive ...
>
> This is what I send:
> HTTP/1.1 200 OK
> Server: nginx
> Date: Tue, 27 May 2014 17:55:23 GMT
> Content-Type: text/html; charset=utf-8
> Connection: keep-alive
> Vary: Accept-Encoding
> X-Content-Type-Options: nosniff
> Content-Length: ...
> ...
>
> What do you think ?
The Vary header indeed indicates server-driven negotiation, this
is what gzip filter does - it returns different content (either
gzipped or not) depending on whether a client supports gzip or not.
The actual question is "Why it is marked as a defect?", but it's
unlikely to be answered here - you'd better ask the person who
marked it.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list