note that there exist trivial denial of service attacks

[jepler]

.. and suggest use only on trusted networks.

@ali1234

[michalpokusa]

Do you have any idea how it could prevent DoS attack? Because to be honest I see some aspects about security that could be improved, but not really about preventing DoS. How would it work without external services, load balancers etc.?

We could implement rate limiting, but this would be bad from the performance standpoint. I would be happy to implement that, but right now, I can't imagine how this could work on microcontroller. And there is still DDoS...

Considering that we can't host https directly on microcontroller (as far as I know), using e.g. nginx on Raspberry Pi seems logical always when someone wants to expose the web server to public. And by using nginx we can get both https and load balancing etc.

[dhalbert]

@michalpokusa I'd this is just a warning about use: if you use this on the public internet, be aware you are open to this kind of attack. I don't see a reason to try to mitigate a DoS attack; if that is a possibility you might not want to put yourself in that situation.

[ali1234]

It probably won't be possible to really mitigate directed attacks, but the problem I reported is trivial enough that it can happen accidentally (which is how I found it).

[jepler]

we'd be happy to see this made more robust! The point of this change was not to dissuade folks from improving the package, but rather to be honest about the level of security that is presently provided.