Closed prototypo closed 9 years ago
This is applicable to anonymous POST requests.
If the request body buffer is empty (after the grace period of 10s) the TCP connection is closed. The grace period is reset whenever the request body buffer is reduced from full capacity.
This should allow the server to take its time reading the request body, but not permit the client to force it to doing so.
Current versions of Callimachus have been determined to be susceptible to the "Slow HTTP POST vulnerability": https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applications
Adjust the timeouts on our connections to avoid this vulnerability.