|
|
|
|
|
|
by ratorx
456 days ago
|
|
|
Well, there’s 2 possibilities: 1) Plain HTTP, go wild with headers. No system should have any authenticated services on this. 2) HTTP with integrity provided by a transport layer (so HTTPS, but also HTTP over Wireguard etc for example). All headers are untrusted input, accept only a whitelisted subset. With this framing, I don’t think it’s an unreasonable for a given service to make the determination of which behaviour to allow. I guess browser headers are still a problem. But you can get most of the way by dropping them at the request boundary before forwarding the request. |
|
|