Serious Security: How to stop dodgy HTTP headers clogging your website | Cyber Security

Latest breaking news on

You’re in a long queue at the station and your train is due soon, but there are four ticket windows open and things are moving quickly and smoothly.

You’ll have plenty of time to buy your ticket, saunter to the platform and be off on your journey.

But then one of the ticket officials puts up a POSITION CLOSED sign and goes off shift; IT arrives to service the credit card machine at the second window; the third window gets a paper jam…

…and you hear the customer at the last working window say, “I’ve changed my mind – I don’t want to travel via Central London after all, so I’d like to cancel these tickets I just bought and find a cheaper route.”

A delay that would have been little more than a irritation at any other time ends up causing a Denial of Service attack on your travel.

It won’t take you an extra hour to buy your ticket, but it will take you an extra hour to wait for the next train after you’ve narrowly missed the one you thought you’d timed perfectly.

If this has ever happened to you, you’ll appreciate this research paper from at the recent USENIX 2018 conference: Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers.