1. 9

  2. 7

    Somewhat buried in the fine print, another HSTS self-DOS. Not that HSTS is a bad idea per se, but I like collecting examples of it backfiring since it’s also on every list of “must have best headers to make your site zoom zoom” without much discussion of implications (along with HPKP).

    1. 5

      To the extent that she self-DOSed it was because she’s using “Flexible SSL” which should be right at the top of the list of things to never ever do.

    2. 2

      I wonder if the underlying problem was that somewhere there’s code that does something like this:

      if !client_accepts_gzip() {
       // assume body is not gzipped when creating cache entry
      1. 2

        She says she told Apache to serve up gzipped content “no matter what’ via a rewrite rule. That might have confused caches down the line. A better approach would be to use “SetOUtputFilter DEFLATE”.

      2. 2

        It pisses me off that people still use CloudFlare given the severity of CloudBleed. Not only that, but the author of the post seems to be clueless of changes that CloudFlare brings to their service. CloudFlare could change their service in ways that would disrupt a lot of websites, and they could do so easily. There is also the risk of a malicious user doing significantly large amounts of damage here.