Header Vary: Accept-Encoding - security risk?

Dear list,

I have enabled gzip with

gzip on;
gzip_http_version 1.0;
gzip_vary on;

to satisfy incoming HTTP 1.0 requests.

In a very similiar setup which got OWASP-evaluated, I read this - marked
as
a defect:
“The web server sent a Vary header, which indicates that server-driven
negotiation was done to determine which content should be delivered.
This
may indicate that different content is available based on the headers in
the
HTTP request.”
IMHO this is a false positive …

This is what I send:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 27 May 2014 17:55:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Content-Length: …

What do you think ?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250449,250449#msg-250449

Hello!

On Wed, May 28, 2014 at 05:20:54PM -0400, chili_confits wrote:

In a very similiar setup which got OWASP-evaluated, I read this - marked as
Date: Tue, 27 May 2014 17:55:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Content-Length: …

What do you think ?

The Vary header indeed indicates server-driven negotiation, this
is what gzip filter does - it returns different content (either
gzipped or not) depending on whether a client supports gzip or not.

The actual question is “Why it is marked as a defect?”, but it’s
unlikely to be answered here - you’d better ask the person who
marked it.


Maxim D.
http://nginx.org/

On Thu, May 29, 2014 at 5:48 PM, W-Mark K.
[email protected]wrote:

Do not suppress header »Vary« or you will run into problems with
proxies, which would otherwise always serve the file gzip-ped
regardless of a requester indicating support or lack thereof.

​Do not worry.
Reading Maxim’s answer, the only thing questioned here is the ‘defect’
report​

​itself… ;o)​

*B. R.*​

2014-05-28 23:20 GMT+02:00 chili_confits [email protected]:

“The web server sent a Vary header, which indicates that server-driven
negotiation was done to determine which content should be delivered. This
may indicate that different content is available based on the headers in the
HTTP request.”
IMHO this is a false positive …

Do not suppress header »Vary« or you will run into problems with
proxies, which would otherwise always serve the file gzip-ped
regardless of a requester indicating support or lack thereof.

Nginx does no content negotiation to the extend which would reveal
that »/config.inc« exists if »/config« were requested with the intend
to get »/config.css«. As you can see, even this example is
far-fetched.


Mark