Die Open Source Programme nginx und Apache httpd sind bereits gepatcht, die Closed Source Programme von u.a. MicroSlop sind noch angreifbar.

Aber Open Source isr ja viel zu unsicher und eh nur Hobby Projekte. Nicht wahr?

Nur ein Client nötig HTTP/2 Bomb legt Webserver in Sekunden lahm
https://www.golem.de/news/nur-ein-client-noetig-http-2-bomb-legt-webserver-in-sekunden-lahm-2606-209396.html

#nginx #apachehttpd #MicrosoftIIS #http2bomb #opensource

Codex Discovered a Hidden HTTP/2 Bomb

14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP/2. Life has come full circle: today we're releasing an attack I missed.

💥 https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

#http2 #break #http2Bomb #compression #web #http #nginx #Apache #httpd #Microsoft #IIS #Envoy #Cloudflare #Pingora #Apachehttpd #MicrosoftIIS #CloudflarePingora #webserver #server

How to deploy a #Mojolicious web app to shared web hosting with Apache and CGI?

I’m having problems configuring ".htaccess" so that all pages are transparently handled by myapp.pl as a CGI script without revealing the CGI path and without breaking links in the app.

See here for details:
https://serverfault.com/questions/1190950/setup-mojolicious-app-transparently-via-cgi-with-apache-mod-rewrite

#httpd #ApacheHttpd #CGI #Perl

Today's stupid #webdev trick:

I'm using #ApacheHTTPD web server with #ServerSideIncludes, and needed to set a response header.

The solution was to set a variable in the .shtml file, e.g.

<!--#set var="OVERRIDE" value="1" -->

and in the server configuration add

Header set My-Header "new-value" env=OVERRIDE