Dear list,
I have enabled gzip with
…
gzip on;
gzip_http_version 1.0;
gzip_vary on;
…
to satisfy incoming HTTP 1.0 requests.
In a very similiar setup which got OWASP-evaluated, I read this - marked
as
a defect:
“The web server sent a Vary header, which indicates that server-driven
negotiation was done to determine which content should be delivered.
This
may indicate that different content is available based on the headers in
the
HTTP request.”
IMHO this is a false positive …
This is what I send:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 27 May 2014 17:55:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Content-Length: …
…
What do you think ?
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250449,250449#msg-250449
Hello!
On Wed, May 28, 2014 at 05:20:54PM -0400, chili_confits wrote:
In a very similiar setup which got OWASP-evaluated, I read this - marked as
Date: Tue, 27 May 2014 17:55:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Content-Length: …
…
What do you think ?
The Vary header indeed indicates server-driven negotiation, this
is what gzip filter does - it returns different content (either
gzipped or not) depending on whether a client supports gzip or not.
The actual question is “Why it is marked as a defect?”, but it’s
unlikely to be answered here - you’d better ask the person who
marked it.
–
Maxim D.
http://nginx.org/
On Thu, May 29, 2014 at 5:48 PM, W-Mark K.
[email protected]wrote:
Do not suppress header »Vary« or you will run into problems with
proxies, which would otherwise always serve the file gzip-ped
regardless of a requester indicating support or lack thereof.
Do not worry.
Reading Maxim’s answer, the only thing questioned here is the ‘defect’
report
itself… ;o)
*B. R.*
2014-05-28 23:20 GMT+02:00 chili_confits [email protected]:
“The web server sent a Vary header, which indicates that server-driven
negotiation was done to determine which content should be delivered. This
may indicate that different content is available based on the headers in the
HTTP request.”
IMHO this is a false positive …
Do not suppress header »Vary« or you will run into problems with
proxies, which would otherwise always serve the file gzip-ped
regardless of a requester indicating support or lack thereof.
Nginx does no content negotiation to the extend which would reveal
that »/config.inc« exists if »/config« were requested with the intend
to get »/config.css«. As you can see, even this example is
far-fetched.
–
Mark