Story (Required)

Set limits on incoming HTTP messages, and notify designated administrator roles of a violation.

HTTP request headers and bodies

Limit the number and length of HTTP request headers and bodies accepted from the clients to a minimum. Set tighter endpoint-specific restrictions depending on their function to minimize the attack surface.

Limit the following request attributes:

• Request body size
• Number of request header fields
• Request header fields size
• Request line size
• XML request body size

Server timeout

Tune the connection timeout settings of the server. A higher connection timeout gives the server more time to engage with the application. This increases the likelihood for various types of server attacks, such as Slowloris.

Note: A small value may introduce issues with the legitimate users with slow connections. Set timeout values based on your normal connection statistics.

Tune the following timeout settings:

• Request read timeout
• Keep-alive timeout

Server connections and backlog capacity

Tune the maximum number of simultaneous connections, and increase the capacity of the backlog of pending connections where possible.

Note: The backlog prolongs a denial of service (DoS) attack because it holds incomplete requests (including malicious ones), but reduces the impact of small attacks.

Most web and application servers provide a configuration option for each of these limits. See the server-specific documentation, and review your application needs when adjusting each of these settings.

Considerations

The meaning of "reasonable" varies according to a system's available resources and an application's features and needs. Consider the following:

• A maximum URL size of 2000 characters is considered reasonable and supported by most browsers.

• • Smaller values (256) might interfere with features such as single sign-on.
• While a 1 MB limit on HTTP request sizes is reasonable for most applications, it might restrict file upload speeds where applicable.

• Maximum number of concurrent connections:

• • Carefully review the operational environment, hardware, and software resources, such as system memory available to the HTTP server.
  • There is no common value that works for all environments.
• Decreasing the keep-alive time-out might have a small performance impact.
  • A value above 60 seconds is not recommended according to Apache Performance Tuning.

For more information about web server security, see Apache Security Tips.

Background (Required)

Refer to the Epic description.

Out of scope

Any previous counter measures.

Approach (Required)

- Discuss this issue in the bug triage or cabal.

Dependencies

NA

Acceptance Criteria (Mandatory)

• Bring this issue to the bug triage call and take a decision on the counter measure.
• If further discussion is needed, bring this issue to the cabal.

INVEST Checklist

Dependencies identified

Blockers noted and expected delivery timelines set

Design is implementable

Acceptance criteria agreed upon

Story estimated

Legend

Unknown

Verified

Unsatisfied

Done Checklist

• Code is completed, reviewed, documented and checked in
• Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
• Continuous Delivery pipeline(s) is able to proceed with new code included
• Customer facing documentation, API docs etc. are produced/updated, reviewed and published
• Acceptance criteria are met