terraform-aws-next-js-image-optimization icon indicating copy to clipboard operation
terraform-aws-next-js-image-optimization copied to clipboard

Published 20 hours ago verified publisher icon milliHQ

Limit Accept header values to accepted image formats

Open ofhouse opened this issue 3 years ago • 0 comments

The Accept header is part of the CloudFront cache key by default. Since it is set by the user, varying the header results in a cache miss, that opens a potential attack vector.

Accept header

Limiting the header to default values is a risky take since this can change every time. An alternative approach would be to use a CloudFront function to normalize the header for each request.

  1. Detect Avif support -> replaces Accept header with image/avif,image/webp,*/*
  2. Detect Webp support -> replaces Accept header with image/webp,*/*
  3. Otherwise replaces the header with */*

The advantage of using a CloudFront function for this is that it is relatively cheap ($0.10 per 1 million invocations) and the modified Header is used to serve the request from the cache instead of hitting the origin. So two identical requests with different headers Accept: image/webp,*/*, Accept: image/webp,a/b,*/* would both served from the same cached object. The disadvantage is that the CloudFront function would be invoked for every request (whether it's in the cache or not).

x-ref: https://github.com/milliHQ/terraform-aws-next-js-image-optimization/issues/75

ofhouse avatar Nov 22 '21 19:11 ofhouse