Only allow GET and HEAD requests

cloud-gov / pages-proxy

Proxies traffic from the Federalist S3 bucket

Other

4 stars 14 forks source link

Only allow GET and HEAD requests #187

Closed apburnes closed 1 year ago

apburnes commented 1 year ago

To improve security posture, only allow GET and HEAD request methods in the proxy.

Acceptance Criteria

[x] Returns a 405 status code if any other method is requested

svenaas commented 1 year ago

This is a good move. You're too quick, @apburnes 😀

svenaas commented 1 year ago

Is the 405 a specific requirement? The limit_except directive can do this pretty tidily but I think it returns a 403.

apburnes commented 1 year ago

@svenaas 405 is Method Not Allowed while a 403 is Forbidden where returning the status could be interpreted as insufficient rights to a resource. I went with 405 to return the more semantic status.

svenaas commented 1 year ago

I agree that's better. It's a little weird that limit_except doesn't seem to provide a way to specify the response code for a particular use. That reduces the utility of the directive.