0

Is it possible for an HTTP web server to verify Authorization header contents of a multi-part/form-data file upload request before accepting the full uploaded file contents?

Can it at least verify Authorization header for each multipart request part of a multi-part file upload request and cancel upload at least at the multi-part boundary?

Sergey Shcherbakov
  • 4,534
  • 4
  • 40
  • 65
  • Tricky question, but my own opinion is that on Auth header failure you should send a 403 with connection:close, and close the socket, even if the client is still sending tons of bytes. But I don't remember seing the Authorization headers inside the multi-part boundaries. Isn't that header only set on the main request headers? Don't you have only mime type and size on boundaries headers? – regilero Sep 04 '19 at 07:38
  • Checked the AWS file upload (content type application/octet). It sends back 403 immediately, not waiting for full file upload. Also, according to this https://stackoverflow.com/questions/14250991/is-it-acceptable-for-a-server-to-send-a-http-response-before-the-entire-request HTTP protocol doesn't require wait for full upload before responding. – Sergey Shcherbakov Sep 04 '19 at 13:24

0 Answers0