0

We run 2 different apps on Heroku. Both have an API written with PHP and Symfony and run through an Apache. One of the frontend clients is written with Vue the other with Angular.

In the API we serialize command and query objects from the POST body. Sometimes this process fails because fields that are needed are missing. We know this through Sentry error monitoring. There we can look into those requests and all of them are missing the body entirely.

We're never been able to reproduce this case.

The issue spans over different endpoints, different browsers, different devices (mobile and desktop) without any common denominator other then the missing request body.

Are there known issues in the network layout, Apache or Heroku which would create that behaviour in an edge case like a very slow connection? Which would lead to a request being forwarded to the backend without the body? Is there any other thing without the application layout which could lead to this?

Christian Kolb
  • 101
  • 2
  • 1
    I would not worry much about a few odd requests coming in that are intentionally crafted to check for request-smuggling-type vulnerabilities. Headers like `Sec-Fetch-*` and `X-Requested-With` might help you spot a common denominator outside of device type and OS. – anx Sep 15 '21 at 11:32
  • Do you have [NEL](https://www.w3.org/TR/network-error-logging/) setup? If the client gets cut off by Heroku for sending odd requests headers as a result of a bug in the JavaScript application, it might still report the error back to you. – anx Sep 15 '21 at 11:51
  • @anx The Requests are all POST I will check for the headers, thanks for the input. I don't think I have NEL setup. How would I do that with Heroku? What headers would break an requests so that it's still send, but doesn't contain a body? – Christian Kolb Sep 15 '21 at 12:09
  • 1
    The textbook examples are `Transfer-Encoding: chunked` fun and large headers. I don't think these two are your problem: the defaults in apache and Heroku are reasonable & interoperable in the regard. But do show *example headers* and your *Apache configuration*, maybe there is a clue there. – anx Sep 15 '21 at 12:56
  • 1
    NEL shares report endpoint definition with CSP and the incoming data would likely be parsed by the same software, so if you have Content-Security-Policy headers set that would be the point to setup NEL as well. – anx Sep 15 '21 at 12:59

0 Answers0