Closed mnot closed 3 years ago
One brainstorming idea that occurred to me yesterday was the idea to "provide as much information as possible, to clients authorized to receive it"
I don't think that hits the right mark. 'authorised' implies a negotiation that adds complexity to the protocol, and isn't widely adopted (a few folks do it by turning on a 'debug mode' but that's hardly secure).
Much of this information is already widely promulgated by caches; e.g., see X-Cache
etc. sent from most CDNs.
Is there further guidance that can be provided to inform the tradeoff between operational and security considerations?
(a) Section 2 says “While these parameters are OPTIONAL, caches are encouraged to provide as much information as possible.”
(b) Section 6 says
On the one hand, the operational guidance in (a) seems to be saying share as much as you can to support debugging. However, the security considerations of (b) reminds the reader that the presence these parameters can be exploited. Is there any additional guidance that can be provided on how this tradeoff could or should be made?