313 private links
Toute l'astuce tient dans le mariage de deux mécanismes connus depuis des lustres. HTTP/2 sait compresser les en-têtes des requêtes pour éviter de répéter cent fois la même chose, et c'est précisément cette générosité que l'attaquant retourne contre le serveur, en faisant référence des milliers de fois à un en-tête glissé une seule fois, si bien que la machine réserve de la mémoire à tour de bras pour quelque chose qui, au départ, ne pèse presque rien.
C'est comme un shell bomb, en HTTP 2 via la décompression. L'attaque a un ratio de données de 5000:1.
100Mb/s peuvent donc causer 500Gb/s de DoS.
Source: https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
Des définitions avec des exemples de locales.
i18n: The design and development of a product that is enabled for target audiences that vary in culture, region, or language.
i10n: The tailoring of a system to the individual cultural expectations of a specific target market or group of individuals.
Locale: an identifier for a set of international preferences
international
Ainsi que les RFCs les définissant, avec notamment l'exemple de l'en-tête HTTP "Content-Language", "Accept-Language".
Les locales sont aussi utilisées via l'attribut lang, la spécificité de translate, dir, hreflang en HTML; et les possiblités d'usages en CSS via les sélecteurs
Small binaries (75 KB) to include healthcheck in containers. The CLI tool is httpcheck, but there is multiple other commands.
Cache-Group-Invalidation invalidate a cache by name.
Cache-Control can set multiple directives:
publicandprivatemax-agedefines the amount of time until which the client can consider the response "fresh"must-revalidateindicates the HTTP cache should not reuse stale responses when they aer disconnected from the origin serverno-storedisable the cache for the requestno-cachemeans ‘do not serve a copy from cache until you’ve revalidated it with the server and the server said you can use the cached copy’.no-cachewill always hit the network as it has to revalidate with the server before it can release the browser’s cached copy. It will always hit at least an HTTP header responsemust-revalidateneeds an associatedmax-agedirective at which time the browser will revalidate.immutableavoid revalidationstale-while-revalidateprovides is a grace period (defined by us in seconds) in which the browser is permitted to use an out of date (stale) asset while we’re checking for a newer version.stale-if-errorprovides a grace period if the server returns a 5xx error- I overlooked
s-maxage,proxy-revalidate,no-transform(useless for HTTPS) for proxies
Cache Busting strategies:
- no cache busting (dangerous) - style.css
- query string (does not work with proxies, i.e. Cloudflare) - style.css?v=1.2.14
- fingerprint - style.ae3f66.css
Fingerprinting is the best and allow the use of the immutable directive.
Not there is a new Clear-Site-Data: cache in case of need. Browser support is limited.
The post provide examples: Online Banking Page, Live Train Timetable Page, FAQs Page, Static JS (or CSS) App Bundle
This add-on shows with a colored icon, whether the SSL/TLS certificate currently used by the website for is classified as trustworthy by Mozilla or only by the local computer. Helps to identify proxies.
green shield for Mozilla certificates
bleu shield for other certificates
Create a CA locally and use it to generate certificates. So it's perfect for local network requests (https, etc...)
From the basics to minimal rust implementations of HTTP/1.1 and HTTP2
Finally, the organization has user data privacy concerns, as it now has to retain, manage, and protect a sizable database of email addresses linked to issuance records to notify the appropriate parties.
application/x-www-form-urlencoded and multipart/form-data are still messy years later.
The official definition of MIME types
An idea to put URL query parameters in the body pf the request.
It is useful to avoid the limitations of the URL length. Another use case is a custom DSL inside the request body.
At the end, it's a less readable than GET but more powerful.