WebApp Sec mailing list archives
RE: Dropping connection instead of returning 400
From: christopher () baus net
Date: Wed, 20 Apr 2005 11:59:33 -0700 (PDT)
Sounds like a good idea to me, but of course what are the dependencies on returning a proper 400 ? Could break things down the road. Instead of sending a RST, may want to consider just dropping the connection altogether as well. I'm a big fan of just hanging the connect, instead of resetting . Just adds another layer of pain (althought admittedly slight) to whomever's perputrating the fraud.
I spent the better part of the weekend implementing 400s. I don't like that it adds so much complexity to the implementation, but I've realized that has to be at least optional. The proxy is setup to reject perfectly valid requests that don't meet certain criteria. I could understand why admins would want to send an error in this situations. The other thing I want to point out is that google doesn't bother sending 400s when the start line is hosed. I tend to agree with google. If the client can't send a decent start line, is it worth responding to?
Current thread:
- Re: Dropping connection instead of returning 400 Kanatoko (Apr 18)
- <Possible follow-ups>
- RE: Dropping connection instead of returning 400 Matt Fisher (Apr 20)
- RE: Dropping connection instead of returning 400 christopher (Apr 21)