Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify that requests with Content-Length: 0 do not require a Content… #1510

Merged
merged 1 commit into from
Oct 3, 2024
Merged

Clarify that requests with Content-Length: 0 do not require a Content… #1510

merged 1 commit into from
Oct 3, 2024

Conversation

JoostK
Copy link
Contributor

@JoostK JoostK commented Oct 2, 2024

…-Type header

  • In case of a new Cheat Sheet, you have used the Cheat Sheet template.
  • All the markdown files do not raise any validation policy violation, see the policy.
  • All the markdown files follow these format rules.
  • All your assets are stored in the assets folder.
  • All the images used are in the PNG format.
  • Any references to websites have been formatted as [TEXT](URL)
  • You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
  • The CI build of your PR pass, see the build status here.

This PR fixes issue #1508.

@JoostK JoostK mentioned this pull request Oct 2, 2024
Closed
@randomstuff
Copy link

randomstuff commented Oct 2, 2024
edited
Loading

For requests with Content-Length: 0 no Content-type header is expected.

Is there an ambiguity here whether this is 1) "we might not have a Content-type in some cases" or 2) "you must not use a Content-Type"? I would claim we want (1).

@jmanico
Copy link
Member

jmanico commented Oct 2, 2024

I think "we might not have a Content-type in some cases" is the better direction here. There are some API's that will require it even with empty content.

@JoostK
Copy link
Contributor Author

JoostK commented Oct 2, 2024

For requests with Content-Length: 0 no Content-type header is expected.

Is there an ambiguity here whether this is 1) "we might not have a Content-type in some cases" or 2) "you must not use a Content-Type"? I would claim we want (1).

I was trying to avoid this but the current wording does indeed leave this ambiguity. I mentioned some potential alternatives in #1508 (comment).

@szh szh linked an issue Oct 2, 2024 that may be closed by this pull request
Update: REST Security Cheat Sheet #1508
Closed
@JoostK JoostK force-pushed the rest-request-content-length-zero branch from 4fc4f86 to 3f054f1 Compare October 2, 2024 19:51
@mackowski mackowski merged commit 4a74707 into OWASP:master Oct 3, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmanico jmanico jmanico approved these changes

@mackowski mackowski mackowski approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update: REST Security Cheat Sheet
4 participants
@JoostK @randomstuff @jmanico @mackowski