I like Robby's division into two bullets, and I like the idea of a footnote.
I wrote a note in the documentation for the new safety limits construct that tries to address both compatibility with the old way(s) of configuring your webserver and compatibility going forward, in that programmers can now explicitly choose whether they want potential future protections by default (with the corresponding risk of breakage) or whether they prefer maximum compatibility (and correspondingly take on responsibility for staying abreast of relevant security developments). Here it is in the pre-release docs: https://pre-release.racket-lang.org/doc/web-server-internal/dispatch-server-unit.html#(elem._safety-limits-porting) I've tried to link to this note from every other part of the documentation at all affected by these changes, particularly from the `history` block. (One observation: these notes talk about the version of the web-server-lib package, but not the corresponding Racket version.) Improvements are welcome! Including improvements that take the form of just pointing out things that are unclear or merit further detail. I think all of the points Robby mentions are covered at least somewhat, but the material that "more broadly discusses the threats" could probably be expanded, particularly for the Slowloris/denial-of-service attacks. (It may be a more obvious improvement that an attacker can no longer exhaust all available memory just by asking for it, before your code even sees the request.) I do also want to note that we hope most applications will keep working with no changes. I believe Bogdan (who did the hard work of actually implementing these protections—I just tweaked the API and a few things at the end) looked at Nginx and maybe other servers to try to find good default values. The changes are permissive in various places where it doesn't create significant vulnerabilities, and we do not impose the any limits by default if you use low-level APIs. -Philip -- You received this message because you are subscribed to the Google Groups "Racket Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/CAH3z3gZtkUD%3D2nGYx7uX7T-Jmk9xudeqztH0HCxAfaS3ButRFg%40mail.gmail.com.
