Skip to content

Commit d739f6b

Browse files
mcollinaaduh95
andcommitted
doc: clarify HTTP/1.1 response ordering
Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com> Signed-off-by: Matteo Collina <hello@matteocollina.com>
1 parent d7a658a commit d739f6b

2 files changed

Lines changed: 18 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -284,6 +284,14 @@ the community they pose.
284284
* Defense-in-depth issues are never treated as Node.js security vulnerabilities,
285285
do not receive CVEs, and are handled as regular bugs or hardening improvements.
286286

287+
#### Malicious protocol peers
288+
289+
* Node.js treats data from remote network peers as untrusted, and bugs in
290+
parsers or protocol implementations may be security vulnerabilities.
291+
* Node.js treats data from HTTP/1.1 keep-alive connections as trusted, meaning that a Node.js
292+
client consuming unsolicited or misordered responses within the same HTTP/1.1 connection
293+
reuse lifecycle are generally not considered Node.js vulnerabilities.
294+
287295
#### Malicious Third-Party Modules (CWE-1357)
288296

289297
* Code is trusted by Node.js. Therefore any scenario that requires a malicious

doc/api/http.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,14 @@ over the same connection, in which case the connection will have to be
7070
remade for every request and cannot be pooled. The `Agent` will still make
7171
the requests to that server, but each one will occur over a new connection.
7272

73+
### Response ordering with connection reuse
74+
75+
On a reused HTTP/1.1 keep-alive connection, responses are associated with
76+
requests by their order on that connection. HTTP/1.1 keep-alive does not provide
77+
per-request response attribution beyond that ordering. Applications that require
78+
per-request connection isolation can use a separate `Agent`, disable keep-alive,
79+
or pass `agent: false`.
80+
7381
When a connection is closed by the client or the server, it is removed
7482
from the pool. Any unused sockets in the pool will be unrefed so as not
7583
to keep the Node.js process running when there are no outstanding requests.
@@ -109,6 +117,8 @@ http.get({
109117
});
110118
```
111119

120+
Use `agent: false` to avoid connection reuse for a request.
121+
112122
### `new Agent([options])`
113123

114124
<!-- YAML

0 commit comments

Comments
 (0)