Skip to content

Commit b7adcb1

Browse files
mcollinaaduh95
andcommitted
doc: clarify HTTP/1.1 response ordering
Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com> Signed-off-by: Matteo Collina <hello@matteocollina.com>
1 parent e9a9065 commit b7adcb1

2 files changed

Lines changed: 18 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -276,6 +276,14 @@ the community they pose.
276276

277277
### Examples of non-vulnerabilities
278278

279+
#### Malicious protocol peers
280+
281+
* Node.js treats data from remote network peers as untrusted, and bugs in
282+
parsers or protocol implementations may be security vulnerabilities.
283+
* Node.js treats data order from HTTP/1.1 keep-alive connections as trusted, meaning that a Node.js
284+
client consuming unsolicited or misordered responses within the same HTTP/1.1 connection
285+
reuse lifecycle are generally not considered Node.js vulnerabilities.
286+
279287
#### Malicious Third-Party Modules (CWE-1357)
280288

281289
* Code is trusted by Node.js. Therefore any scenario that requires a malicious

doc/api/http.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,14 @@ over the same connection, in which case the connection will have to be
7070
remade for every request and cannot be pooled. The `Agent` will still make
7171
the requests to that server, but each one will occur over a new connection.
7272

73+
### Response ordering with connection reuse
74+
75+
On a reused HTTP/1.1 keep-alive connection, responses are associated with
76+
requests by their order on that connection. HTTP/1.1 keep-alive does not provide
77+
per-request response attribution beyond that ordering. Applications that require
78+
per-request connection isolation can use a separate `Agent`, disable keep-alive,
79+
or pass `agent: false`.
80+
7381
When a connection is closed by the client or the server, it is removed
7482
from the pool. Any unused sockets in the pool will be unrefed so as not
7583
to keep the Node.js process running when there are no outstanding requests.
@@ -109,6 +117,8 @@ http.get({
109117
});
110118
```
111119

120+
Use `agent: false` to avoid connection reuse for a request.
121+
112122
### `new Agent([options])`
113123

114124
<!-- YAML

0 commit comments

Comments
 (0)