Hi, On Mon, May 13, 2013 at 5:22 PM, eberhard speer jr. <[email protected]> wrote: > ...Running a web service that allows (encoded) ua's in the URL's query > string, in such an environment would be difficult. A considerable > number of bona-fide requests would be dropped unless you either > drastically change the overall proxy-rules or add some complexity to > deal with it....
Again, I don't get it ;-) Any parameter that comes in to your service, whether via an URL query parameter, HTTP header or telepathic communications, MUST be sanitized before using it in your code. This means prepared statements in SQL, cleaning up path names, setting up sensible permissions for the process that runs your service...all the usual precautions. So I don't see the difference whether a parameter comes in via a URL or an HTTP header in terms of security - both need to be sanitized anyway. I stick to my opinion - if you want to support a HTTP header in addition to a URL parameter, fine. This can be made configurable in our service implementation. -Bertrand
