Hacker News new | ask | show | jobs
by theamk 621 days ago
Wouldn't the safest thing, security-wise, to fail fast on bare 0ah?

As a web server, you may not know which intermediate proxies did the request traverse before arriving to your port. Given that request smuggling is a thing, failing fast with no further parsing on any protocol deviations seems to be the most secure thing.
1 comments
tptacek 621 days ago
I mean the safest thing would be to send an RST as soon as you see a SYN for 80/tcp.
link
theamk 621 days ago
That would have a severe downside of not letting your customers access your website.

Fast-abort on bare-0ah will still be compatible with all browsers and major http clients, thus providing extra mitigations practically for free.

link
RedShift1 621 days ago
Wouldn't not replying at all be the safest?
link