HTTP Request Smuggler & Cloudflare

Hello all

I have seen articles about this on the internet, and most recently in HackerNews (im not posting links since i dont know if i can, but its a recent news on THN site. )
Anyone knows how to handle these attacks?
Any additional steps i need to make on my servers, or is http/2 on cloudflare’s side enough?

Thanks
Isaque

Specific instances of this vulnerability can be resolved by reconfiguring the front-end server to normalize ambiguous requests before routing them onward. This is probably the only realistic solution for CDNs who don’t want to make their customers vulnerable, and Cloudflare and Fastly seem to apply it successfully.

Looks like Cloudflare is not affected by this type of attack. So assuming you have your origin webservers configured to only allow requests coming from Cloudflare, you should be fine.

1 Like

Thank you very much!

I also want to just quickly add that Cloudflare will only perform request normalization that the article was talking about when you have Cloudflare’s proxy :orange: enabled in the DNS settings, and as I already said, make sure that you only accept requests that are coming from Cloudflare.
Configuring your webserver for authenticated origin pulls is the recommended way to make sure that you only accept Cloudflare requests, however, limiting requests to their ip ranges is another (but less secure) option.

1 Like

Does cloudflare use HTTP/2 for back-end connections?

Sadly, no. It’s still HTTP 1.1 to the origin.

This topic was automatically closed after 30 days. New replies are no longer allowed.