Skip to main content

8. Security Considerations

This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP conditional requests.

Disclosure of Entity Tags

Entity-tags are often used in "off-label" ways, such as for cache synchronization across multiple intermediaries, or as a means of identifying archived snapshots of content. Understanding how entity-tags are generated for a given resource is application-specific and often proprietary. The exposure of entity-tags that disclose information about application logic or intermediary caching behavior might reveal information about how to circumvent that application's access controls or manipulate intermediary caches.

An origin server ought to consider that some entity-tags might disclose information that could be considered sensitive in certain contexts. Examples include:

  • Version control information (e.g., revision numbers, branch names)
  • Hashes or signatures derived from content that has access restrictions
  • Patterns that reveal internal implementation details

Denial of Service Using Conditional Requests

Although conditional requests can reduce network bandwidth and processing overhead by allowing cached representations to be reused, they are not sufficient protection against denial-of-service attacks. Malicious clients can still make many conditional requests for different resources or the same resource with invalid or constantly changing conditional header fields, overwhelming a server's ability to respond.

A server ought to monitor the use of conditional requests and consider rate-limiting or other defensive measures when abnormal patterns are detected.

Protocol Element Length

Servers ought to place reasonable limits on the size and number of conditional header field values, particularly entity-tags within If-Match and If-None-Match header fields, as there is no standard length constraint on entity-tag values. Extremely long entity-tags or an excessive number of entity-tags in a single header field could be used to exhaust server resources.

Last updated on