On Sun, Jan 19, 2014 at 8:06 AM, mex <[email protected]> wrote: > very interesting read: > http://homakov.blogspot.de/2014/01/cookie-bomb-or-lets-break-internet.html > > .... > my question: is there a generic way to check the size of such headers like > cookies etc and to cut them off, or should we live with such malicious intent?
no good one size fits all solution that i have found. trade off here and you worsen over there... i have worked on an internal system (not public endpoint, internal to DMZ only) where the request URL, or any one of the individual request header values could approach 32KBytes in size, with a full client or server header reaching 64+KB. we use a custom Nginx build to handle this on the internal proxy tier only, not public. the public endpoints respond with a custom empty json response body for all such 4xx/5xx errors instead of default 400 like above. i'd love to know of more elegant ways to handle this, with header specific handling - especially cookies, if possible... best regards, P.S. off-topic, but i have used this "feature" before to check for content middling proxies between me and endpoints. such headers often resulting in proxy errors or timeouts even when implemented in transparent trying to be inconspicuous mode. _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
