Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] OOM by huge header size attack: setResponseHeaderSize won't work

On 24 March 2017 at 05:38, Travis Spencer <travislspencer@xxxxxxxxx> wrote:
Are other applications vulnerable if they embed Jetty (though a newer version) and not make this call on the request? Must it be done per request or is it something can  be done server wide on startup? 

The request header size is server wide.. well it is per HttpConfiguration instance, which by default is shared by all connectors on a server.   So it need only be set once at startup.

The standard distribution does set it, so standard usage is not vulnerable.



--

Back to the top