Add a paragraph about HTTP/2 compressed headers security risk

author: Loïc Hoguin <[email protected]> 2025-03-27 10:57:11 +0100
committer: Loïc Hoguin <[email protected]> 2025-03-27 10:57:11 +0100
commit: ff1204441f5bdeefaec3efa6ba741497a71f5daf (patch)
tree: ae63507cff246e3589ff55f28b1bfd4e66f7f643 /doc/src
parent: 3eaa67dd8196821bbafe78daedaf86790fd123c6 (diff)
download: gun-ff1204441f5bdeefaec3efa6ba741497a71f5daf.tar.gz
gun-ff1204441f5bdeefaec3efa6ba741497a71f5daf.tar.bz2
gun-ff1204441f5bdeefaec3efa6ba741497a71f5daf.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/src/guide/protocols.asciidoc b/doc/src/guide/protocols.asciidoc
index cd6de2c..daf2d66 100644
--- a/doc/src/guide/protocols.asciidoc
+++ b/doc/src/guide/protocols.asciidoc
@@ -65,6 +65,15 @@ cancellation mechanism which allows Gun to inform the
 server to stop sending a response for this particular
 request, saving resources.
 
+Note that because HTTP/2 headers are compressed, there
+are scenarios where it is possible to probe or extract
+data, creating security risks. One scenario being the
+use of Gun as a proxy to create a single connection to
+an origin, with requests coming from multiple mutually
+distrustful entities. Gun will provide configuration
+options to restrict headers that can be compressed in
+a future release.
+
 === Websocket
 
 Websocket is a binary protocol built on top of HTTP that
author	Loïc Hoguin <[email protected]>	2025-03-27 10:57:11 +0100
committer	Loïc Hoguin <[email protected]>	2025-03-27 10:57:11 +0100
commit	ff1204441f5bdeefaec3efa6ba741497a71f5daf (patch)
tree	ae63507cff246e3589ff55f28b1bfd4e66f7f643 /doc/src
parent	3eaa67dd8196821bbafe78daedaf86790fd123c6 (diff)
download	gun-ff1204441f5bdeefaec3efa6ba741497a71f5daf.tar.gz gun-ff1204441f5bdeefaec3efa6ba741497a71f5daf.tar.bz2 gun-ff1204441f5bdeefaec3efa6ba741497a71f5daf.zip