undefined | Better HN

0 pointstheamk1y ago0 comments

Wouldn't the safest thing, security-wise, to fail fast on bare 0ah?

As a web server, you may not know which intermediate proxies did the request traverse before arriving to your port. Given that request smuggling is a thing, failing fast with no further parsing on any protocol deviations seems to be the most secure thing.

0 comments

tptacek1y ago

I mean the safest thing would be to send an RST as soon as you see a SYN for 80/tcp.

theamkOP1y ago

That would have a severe downside of not letting your customers access your website.

Fast-abort on bare-0ah will still be compatible with all browsers and major http clients, thus providing extra mitigations practically for free.

RedShift11y ago

Wouldn't not replying at all be the safest?

j / k navigate · click thread line to collapse