Hello! On Wed, May 28, 2014 at 05:20:54PM -0400, chili_confits wrote:
> Dear list, > > I have enabled gzip with > ... > gzip on; > gzip_http_version 1.0; > gzip_vary on; > ... > to satisfy incoming HTTP 1.0 requests. > > In a very similiar setup which got OWASP-evaluated, I read this - marked as > a defect: > "The web server sent a Vary header, which indicates that server-driven > negotiation was done to determine which content should be delivered. This > may indicate that different content is available based on the headers in the > HTTP request." > IMHO this is a false positive ... > > This is what I send: > HTTP/1.1 200 OK > Server: nginx > Date: Tue, 27 May 2014 17:55:23 GMT > Content-Type: text/html; charset=utf-8 > Connection: keep-alive > Vary: Accept-Encoding > X-Content-Type-Options: nosniff > Content-Length: ... > ... > > What do you think ? The Vary header indeed indicates server-driven negotiation, this is what gzip filter does - it returns different content (either gzipped or not) depending on whether a client supports gzip or not. The actual question is "Why it is marked as a defect?", but it's unlikely to be answered here - you'd better ask the person who marked it. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx