Project

General

Profile

Actions
Copy link

Improvements #14459

open

Do not allow non-sessioned signal GET requests

Added by Matthias Van Ceulebroeck about 6 hours ago. Updated about 4 hours ago.

Status:
Implemented @Emweb
Priority:
Normal
Assignee:
Matthias Van Ceulebroeck
Target version:
-
Start date:
04/07/2026
Due date:
% Done:

0%

Estimated time:

Description

Previously, we have made two optimizations:

  1. #13878: where it was no longer allowed to get sessioned requests from bots (user agents marked as bots in the config).
  2. #13970: where a GET request with session information attached was suspected to come from a "malicious" agent.

From both of these we can take another optimization. In the case of an agent performing a GET request with ONLY a signal. This should also not be allowed.
In this case, they will receive the output of the application, and the session will be immediately terminated.

Actions
Copy link
 #1

Updated by Matthias Van Ceulebroeck about 5 hours ago

  • Status changed from InProgress to Review
  • Assignee deleted (Matthias Van Ceulebroeck)
Actions
Copy link
 #2

Updated by Romain Mardulyn about 5 hours ago

  • Assignee set to Romain Mardulyn
Actions
Copy link
 #3

Updated by Romain Mardulyn about 4 hours ago

  • Status changed from Review to Implemented @Emweb
  • Assignee changed from Romain Mardulyn to Matthias Van Ceulebroeck
Actions
Copy link

Also available in: Atom PDF