diff options
| author | Glenn Strauss <gstrauss@gluelogic.com> | 2022-04-20 14:52:52 -0400 |
|---|---|---|
| committer | Glenn Strauss <gstrauss@gluelogic.com> | 2022-05-05 13:35:18 -0400 |
| commit | c183b8875b4b0daa7cbc4b7dbf91cb46b1e87e69 (patch) | |
| tree | d666ff0713fa1f925f0289a8f0a65a9ffb7f80b7 /src/response.h | |
| parent | fbade1850f5ceffdb2cf4c561fa44f73093a484d (diff) | |
| download | lighttpd-git-c183b8875b4b0daa7cbc4b7dbf91cb46b1e87e69.tar.gz | |
[core] delay response to http auth invalid creds
server.feature-flags += ("auth.delay-invalid-creds" => "enable")
The default is enabled. This feature delays a response to bad http auth
(invalid username or password) to the next second, so up to 1 sec delay.
Delaying the response greatly reduces the efficiency of brute force
password attacks, limiting tries to one-per-second per connection.
Limiting the number of client connections allowed by lighttpd with
server.max-connections sets an upper bound on password tries per second,
but also makes it easier for an attacker to DoS (denial of service) the
server. Therefore, while this mitigation is enabled by default, it can
be disabled with
server.feature-flags += ("auth.delay-invalid-creds" => "disable")
Diffstat (limited to 'src/response.h')
| -rw-r--r-- | src/response.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/response.h b/src/response.h index 4509c2d1..d1fb2467 100644 --- a/src/response.h +++ b/src/response.h @@ -59,6 +59,9 @@ void http_response_upgrade_read_body_unknown(request_st *r); int http_response_transfer_cqlen(request_st *r, struct chunkqueue *cq, size_t len); __attribute_cold__ +void http_response_delay(connection *con); + +__attribute_cold__ int http_response_omit_header(request_st *r, const data_string *ds); void http_response_write_header(request_st *r); |