9

Is it safe to trust the Content-Length HTTP header? According to the MDN docs it is a Forbidden header name. If I go to that page it says the following.

Modifying such headers is forbidden because the user agent retains full control over them.

But wouldn't there still be a way to spoof these values if you control the user agent?

I'm just trying to figure out how safe it is to trust those headers on that Forbidden header name page and if they are able to be spoofed at all.

Charlie Fish
  • 18,491
  • 19
  • 86
  • 179
  • Trust for what, spoofed by whom? What's the scenario you're worried about? – Joni Apr 20 '18 at 03:38
  • @Joni Trusted that it is accurate and follows the spec. For example I don't want a request to come in that in reality has a real content length of 1000 say, and the header Content-Length of 300 for example. In this scenario it would be spoofed by the client or whoever is making the request to my backend. – Charlie Fish Apr 20 '18 at 03:41

1 Answers1

5

Given the scenario you describe, yes it's possible for a client to set the incorrect Content-Length. There is no guarantee that it's correct.

If Content-Length is too large, a server might wait and time-out to get the remainder of the data. If it's too small, the server might cut the TCP connection before the entire body came in, or in the case of Connection: Keep-Alive the server might assume the client started another HTTP request, get confused and send a bad request response.

Evert
  • 93,428
  • 18
  • 118
  • 189