pjfanning commented on code in PR #394:
URL:
https://github.com/apache/incubator-pekko-http/pull/394#discussion_r1440348762
##########
http-core/src/main/resources/reference.conf:
##########
@@ -307,6 +307,17 @@ pekko.http {
# Fail the connection if a sent ping is not acknowledged within this
timeout.
# When zero the ping-interval is used, if set the value must be evenly
divisible by less than or equal to the ping-interval.
ping-timeout = 0s
+
+ frame-type-throttle {
+ # Configure the throttle for non-data frame types
(https://github.com/apache/incubator-pekko-http/issues/332)
+ # supported frame-types for throttlng are:
+ # reset, headers, continuation, go-away, priority, ping, push-promise,
window-update
Review Comment:
I'd prefer not to provide too much guidance. If users want to protect
against CVE-2023-44487, they just need `frame-types = ["reset"]`. In
@jrudolph's original solution, almost the full list in line 314 was throttled
(the exception was `window-update` wasn't throttled but there was a TODO to
work out whether it should be throttled).
If we do make a recommendation, I would suggest `frame-types = ["reset"] and
suggest to users that they might want to expand the list.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
