WebApp Sec mailing list archives
Dropping connection instead of returning 400
From: christopher () baus net
Date: Tue, 1 Mar 2005 20:59:37 -0800 (PST)
I have an application proxy "under my pillow" so to speak. I've built it from the ground up over the past couple years with security in mind. It has been a long and tedious task, but I think my efforts are finally starting to pay off. One thing that keeps coming back to me is 400 Bad Request handling. It is now my opinion that security proxies should just drop connection when faced with traffic they refuse to handle. I put some thoughts on this on my blog here: http://www.baus.net/400-bad-request Which cause one client developer to call me a non-compliant wanker here: http://www.mackmo.com/nick/blog/java/?permalink=Please_send_400_Bad_Request_and_.txt I then followed up with the general thought that I'm willing to be non-compliant in the name of security: http://www.baus.net/breaking-the-spec-in-the-name-of-security So what do you think? Is security worth non-compliance with the HTTP spec? Christopher Baus ======== Implementing an HTTP proxy? Consider a fast, secure alternative http://www.baus.net/
Current thread:
- Dropping connection instead of returning 400 christopher (Mar 03)
- Re: Dropping connection instead of returning 400 Mariusz Pękala (Mar 06)
- Re: Dropping connection instead of returning 400 Michel Arboi (Mar 06)
- <Possible follow-ups>
- RE: Dropping connection instead of returning 400 Michael Silk (Mar 06)
- RE: Dropping connection instead of returning 400 christopher (Mar 06)
- Re: Dropping connection instead of returning 400 Devdas Bhagat (Mar 09)
- Re: Dropping connection instead of returning 400 Garth Somerville (Mar 06)