Header Vary: Accept-Encoding - security risk ?
W-Mark Kubacki
wmark+nginx at hurrikane.de
Thu May 29 15:48:21 UTC 2014
2014-05-28 23:20 GMT+02:00 chili_confits <nginx-forum at nginx.us>:
> I have enabled gzip with
> ...
> gzip on;
> gzip_http_version 1.0;
> gzip_vary on;
> ...
> to satisfy incoming HTTP 1.0 requests.
>
> In a very similiar setup which got OWASP-evaluated, I read this - marked as
> a defect:
> "The web server sent a Vary header, which indicates that server-driven
> negotiation was done to determine which content should be delivered. This
> may indicate that different content is available based on the headers in the
> HTTP request."
> IMHO this is a false positive ...
Do not suppress header »Vary« or you will run into problems with
proxies, which would otherwise always serve the file gzip-ped
regardless of a requester indicating support or lack thereof.
Nginx does no content negotiation to the extend which would reveal
that »/config.inc« exists if »/config« were requested with the intend
to get »/config.css«. As you can see, even this example is
far-fetched.
--
Mark
More information about the nginx
mailing list