Header Vary: Accept-Encoding - security risk ?

Maxim Dounin mdounin at mdounin.ru
Thu May 29 15:18:56 UTC 2014


Hello!

On Wed, May 28, 2014 at 05:20:54PM -0400, chili_confits wrote:

> Dear list,
> 
> I have enabled gzip with
>   ...
>   gzip on;
>   gzip_http_version 1.0;
>   gzip_vary on;
>   ...
> to satisfy incoming HTTP 1.0 requests.
> 
> In a very similiar setup which got OWASP-evaluated, I read this - marked as
> a defect:
> "The web server sent a Vary header, which indicates that server-driven
> negotiation was done to determine which content should be delivered. This
> may indicate that different content is available based on the headers in the
> HTTP request."
> IMHO this is a false positive ...
> 
> This is what I send:
> HTTP/1.1 200 OK
> Server: nginx
> Date: Tue, 27 May 2014 17:55:23 GMT
> Content-Type: text/html; charset=utf-8
> Connection: keep-alive
> Vary: Accept-Encoding
> X-Content-Type-Options: nosniff
> Content-Length: ...
> ...
> 
> What do you think ?

The Vary header indeed indicates server-driven negotiation, this 
is what gzip filter does - it returns different content (either 
gzipped or not) depending on whether a client supports gzip or not.

The actual question is "Why it is marked as a defect?", but it's 
unlikely to be answered here - you'd better ask the person who 
marked it.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list