You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This allows requests to be accepted from sloppy clients that omit cricial information. Requests from such clients can be intercepted, manipulated, and re-played. E.g. a post request without a digest header would succeed even if the digest header was required for post requests. Such a request can be intercepted, the body manipulated, and then resent unnoticed.
Note that $request->getHeaders() will return the header names in whatever form the client sent them, not norlaized to lower-case. If the required headers a all lower case, and the client sends all upper-case headers, none of the headers will be considered "required".
Also note that the current behavior makes it impossible to effectively require (request-target), since that is never present as a header.
The text was updated successfully, but these errors were encountered:
assertRequiredHeaders() will only complain about unsigned headers if they are actually present in the request:
This allows requests to be accepted from sloppy clients that omit cricial information. Requests from such clients can be intercepted, manipulated, and re-played. E.g. a post request without a
digestheader would succeed even if the digest header was required for post requests. Such a request can be intercepted, the body manipulated, and then resent unnoticed.Note that $request->getHeaders() will return the header names in whatever form the client sent them, not norlaized to lower-case. If the required headers a all lower case, and the client sends all upper-case headers, none of the headers will be considered "required".
Also note that the current behavior makes it impossible to effectively require
(request-target), since that is never present as a header.The text was updated successfully, but these errors were encountered: