You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From reading various comments, it is clear that Node.js’s HTTP parser is as strict as it is to prevent request smuggling attacks. However, it has never been explained what the particular attacks are.
In particular, Node.js does not allow:
Status lines or field lines that end with a bare LF, which the standard recommends be allowed.
Whitespace after a chunk length, which RFC9112 permits (but considers obsolete).
Invalid characters in HTTP/1.x field values, which are permitted by HAProxy and NGINX.
Which specific attacks are blocked by these measures? Is there a concrete security vulnerability in any software that is not so strict?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Node.js
-
From reading various comments, it is clear that Node.js’s HTTP parser is as strict as it is to prevent request smuggling attacks. However, it has never been explained what the particular attacks are.
In particular, Node.js does not allow:
Which specific attacks are blocked by these measures? Is there a concrete security vulnerability in any software that is not so strict?
Beta Was this translation helpful? Give feedback.
All reactions