|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Dropping connection instead of returning 400
christopher
baus.net
Date: Tue Mar 01 2005 - 22:59:37 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I have an application proxy "under my pillow" so to speak. I've built it
from the ground up over the past couple years with security in mind. It
has been a long and tedious task, but I think my efforts are finally
starting to pay off.
One thing that keeps coming back to me is 400 Bad Request handling. It is
now my opinion that security proxies should just drop connection when
faced with traffic they refuse to handle.
I put some thoughts on this on my blog here:
http://www.baus.net/400-bad-request
Which cause one client developer to call me a non-compliant wanker here:
http://www.mackmo.com/nick/blog/java/?permalink=Please_send_400_Bad_Request_and_.txt
I then followed up with the general thought that I'm willing to be
non-compliant in the name of security:
http://www.baus.net/breaking-the-spec-in-the-name-of-security
So what do you think? Is security worth non-compliance with the HTTP spec?
Christopher Baus
========
Implementing an HTTP proxy?
Consider a fast, secure alternative
http://www.baus.net/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]