views:

125

answers:

3

There are many security reasons why one would want to drop an HTTP connection with no response (eg. OWASP's SSL best practices). When these can be detected at the server level then it's no big deal. However, what if you can only detect this condition at the application level?

Does Rails, or more generally Rack, have any standard way of telling the server to drop the connection without a response? If not, are there some standard headers to pass in that will accomplish that in common web servers (I'm thinking Nginx or Apache)? Even if there is not a standard header is there a reasonable way to configure that behavior? Is this a fool's errand?

A: 

I could be wrong but I don't think Rack or Rails provide a way to drop a connection. I think the closest might be something like "render :nothing => true". But even that ironically sends something (A single space, apparently to avoid a Safari bug...) but at least its terminating the request rather than redirecting (having the client initiate a new request) as the OWASP warns against.

class TestController < ApplicationController
  def nothing
    render :nothing => true
  end
end

>> app.get('test/nothing')
=> 200
>> app.response.body
=> " "

I hope that helps.

Mike Williamson
+1  A: 

Would you please elaborate on what you mean by "dropping a connection"? If sending back headers with whatever response code you want (Moved, Unauthorized, Not Found) is okay - you already got the answer (render :noting, or :head). You can add :status => some_status.
If you mean dropping connection on TCP/IP level, as do firewalls, well that's another thing. I doubt this is possible. And I don't think advisable (if possible).
And on the page you posted link to "dropping connection" is used as a synonym to refuse HTTPS connection - means render some response with status Unauthorized or something like that.

Art Shayderov
I don't see what leads you to believe they are using "dropping connection" as a synonym for something else. Security folks tend to be very precise with their terminology.
dasil003
Well I just read the paragraph titled "HTTP connections should be dropped"
Art Shayderov
+1  A: 

Nginx has a mechanism for this. When you are returning a special status code 444 (it's non-standard), Nginx silently drops the connection. This happens only when you return this code from the Nginx config, i.e. like

location = /drop {
  return 444;
}

and you cannot return this status code from your application. The workaround is to return X-Accel-Redirect: /drop header from the app to tell Nginx use /drop location for this request.

Alexander Azarov