WebApp Sec mailing list archives

Dropping connection instead of returning 400

From: christopher () baus net
Date: Tue, 1 Mar 2005 20:59:37 -0800 (PST)

I have an application proxy "under my pillow" so to speak.  I've built it
from the ground up over the past couple years with security in mind.  It
has been a long and tedious task, but I think my efforts are finally
starting to pay off.

One thing that keeps coming back to me is 400 Bad Request handling.  It is
now my opinion that security proxies should just drop connection when
faced with traffic they refuse to handle.

I put some thoughts on this on my blog here:

http://www.baus.net/400-bad-request

Which cause one client developer to call me a non-compliant wanker here:

http://www.mackmo.com/nick/blog/java/?permalink=Please_send_400_Bad_Request_and_.txt

I then followed up with the general thought that I'm willing to be
non-compliant in the name of security:

http://www.baus.net/breaking-the-spec-in-the-name-of-security

So what do you think?  Is security worth non-compliance with the HTTP spec?

Christopher Baus
========
Implementing an HTTP proxy?
Consider a fast, secure alternative
http://www.baus.net/

Current thread:

Dropping connection instead of returning 400 christopher (Mar 03)
- Re: Dropping connection instead of returning 400 Mariusz Pękala (Mar 06)
- Re: Dropping connection instead of returning 400 Michel Arboi (Mar 06)
- <Possible follow-ups>
- RE: Dropping connection instead of returning 400 Michael Silk (Mar 06)
- RE: Dropping connection instead of returning 400 christopher (Mar 06)
  - Re: Dropping connection instead of returning 400 Devdas Bhagat (Mar 09)
- Re: Dropping connection instead of returning 400 Garth Somerville (Mar 06)