When enabling the "Enable rendering performance debugger" option in the Breakdance settings > advanced tab, it add lots of HTTP headers to each response. This causes security issues and breaks servers that monitor the number of response headers.
To reproduce:
0- Use a secure server (litespeed + mod_security module enabled with default settings)
1- Run behind Cloudflare for security and perfomance purposes,
2- Create a page with at least 30 elements,
3- Publish the page with the "Password protect" feature of wordpress
4- In a private browser (incognito mode) try to access the page,
5- It shall ask you for the password with no issues
6- Enter the correct password, then you would get a 502 error from mod_security saying:
[Module:mod_security] too many resp headers
(for info, mod_security's default max value for response and request headers is set to 200. (Source here)
If you analyse the requests, the Server Timing API implementation in Breakdance, adds many headers, each for some block rendering, and it will add up very fast. (see the screenshot)
When enabling the "Enable rendering performance debugger" option in the Breakdance settings > advanced tab, it add lots of HTTP headers to each response. This causes security issues and breaks servers that monitor the number of response headers. To reproduce: 0- Use a secure server (litespeed + mod_security module enabled with default settings) 1- Run behind Cloudflare for security and perfomance purposes, 2- Create a page with at least 30 elements, 3- Publish the page with the "Password protect" feature of wordpress 4- In a private browser (incognito mode) try to access the page, 5- It shall ask you for the password with no issues 6- Enter the correct password, then you would get a 502 error from mod_security saying:
[Module:mod_security] too many resp headers(for info, mod_security's default max value for response and request headers is set to 200. (Source here)If you analyse the requests, the Server Timing API implementation in Breakdance, adds many headers, each for some block rendering, and it will add up very fast. (see the screenshot)
This may be exploited as a security issue.