diff options
| author | Anna Henningsen <anna@addaleax.net> | 2020-07-01 02:20:09 +0300 |
|---|---|---|
| committer | Anna Henningsen <anna@addaleax.net> | 2020-07-16 01:25:47 +0300 |
| commit | e876c0c308bb98ed08ec9cae9f04a65a48517be5 (patch) | |
| tree | e542873e53ea1a07e794394e3f3d14f070e97e99 /doc/api/http2.md | |
| parent | 9ae849120429870af17fbba5ed8c75a215daf899 (diff) | |
http2: add support for sensitive headers
Add support for “sensitive”/“never-indexed” HTTP2 headers.
Fixes: https://github.com/nodejs/node/issues/34091
PR-URL: https://github.com/nodejs/node/pull/34145
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Diffstat (limited to 'doc/api/http2.md')
| -rw-r--r-- | doc/api/http2.md | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/doc/api/http2.md b/doc/api/http2.md index c24e43f12b0..122d9deb517 100644 --- a/doc/api/http2.md +++ b/doc/api/http2.md @@ -2461,6 +2461,17 @@ added: v8.4.0 Returns a [HTTP/2 Settings Object][] containing the deserialized settings from the given `Buffer` as generated by `http2.getPackedSettings()`. +### `http2.sensitiveHeaders` +<!-- YAML +added: REPLACEME +--> + +* {symbol} + +This symbol can be set as a property on the HTTP/2 headers object with an array +value in order to provide a list of headers considered sensitive. +See [Sensitive headers][] for more details. + ### Headers object Headers are represented as own-properties on JavaScript objects. The property @@ -2509,6 +2520,33 @@ server.on('stream', (stream, headers) => { }); ``` +<a id="http2-sensitive-headers"></a> +#### Sensitive headers + +HTTP2 headers can be marked as sensitive, which means that the HTTP/2 +header compression algorithm will never index them. This can make sense for +header values with low entropy and that may be considered valuable to an +attacker, for example `Cookie` or `Authorization`. To achieve this, add +the header name to the `[http2.sensitiveHeaders]` property as an array: + +```js +const headers = { + ':status': '200', + 'content-type': 'text-plain', + 'cookie': 'some-cookie', + 'other-sensitive-header': 'very secret data', + [http2.sensitiveHeaders]: ['cookie', 'other-sensitive-header'] +}; + +stream.respond(headers); +``` + +For some headers, such as `Authorization` and short `Cookie` headers, +this flag is set automatically. + +This property is also set for received headers. It will contain the names of +all headers marked as sensitive, including ones marked that way automatically. + ### Settings object <!-- YAML added: v8.4.0 @@ -3696,5 +3734,6 @@ following additional properties: [`tls.TLSSocket`]: tls.html#tls_class_tls_tlssocket [`tls.connect()`]: tls.html#tls_tls_connect_options_callback [`tls.createServer()`]: tls.html#tls_tls_createserver_options_secureconnectionlistener -[error code]: #error_codes [`writable.writableFinished`]: stream.html#stream_writable_writablefinished +[error code]: #error_codes +[Sensitive headers]: #http2-sensitive-headers |