tags:

views:

125

answers:

3
Q: 

Is there anyway to make a Rails / Rack application tell the web server to drop the connection

There are many security reasons why one would want to drop an HTTP connection with no response (eg. OWASP's SSL best practices). When these can be detected at the server level then it's no big deal. However, what if you can only detect this condition at the application level?

Does Rails, or more generally Rack, have any standard way of telling the server to drop the connection without a response? If not, are there some standard headers to pass in that will accomplish that in common web servers (I'm thinking Nginx or Apache)? Even if there is not a standard header is there a reasonable way to configure that behavior? Is this a fool's errand?

A: 

I could be wrong but I don't think Rack or Rails provide a way to drop a connection. I think the closest might be something like "render :nothing => true". But even that ironically sends something (A single space, apparently to avoid a Safari bug...) but at least its terminating the request rather than redirecting (having the client initiate a new request) as the OWASP warns against.

class TestController < ApplicationController
  def nothing
    render :nothing => true
  end
end

>> app.get('test/nothing')
=> 200
>> app.response.body
=> " "

I hope that helps.

Mike Williamson  2010-04-03 10:48:52
+1  A: 

Would you please elaborate on what you mean by "dropping a connection"? If sending back headers with whatever response code you want (Moved, Unauthorized, Not Found) is okay - you already got the answer (render :noting, or :head). You can add :status => some_status.
If you mean dropping connection on TCP/IP level, as do firewalls, well that's another thing. I doubt this is possible. And I don't think advisable (if possible).
And on the page you posted link to "dropping connection" is used as a synonym to refuse HTTPS connection - means render some response with status Unauthorized or something like that.

Art Shayderov  2010-04-03 17:11:26
I don't see what leads you to believe they are using "dropping connection" as a synonym for something else. Security folks tend to be very precise with their terminology.
dasil003  2010-04-04 12:26:48
Well I just read the paragraph titled "HTTP connections should be dropped"
Art Shayderov  2010-04-04 20:11:04
+1  A: 

Nginx has a mechanism for this. When you are returning a special status code 444 (it's non-standard), Nginx silently drops the connection. This happens only when you return this code from the Nginx config, i.e. like

location = /drop {
  return 444;
}

and you cannot return this status code from your application. The workaround is to return X-Accel-Redirect: /drop header from the app to tell Nginx use /drop location for this request.

Alexander Azarov  2010-04-04 08:26:04

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security