homelab/traefik
1
0
Fork 0
Code Activity

Reject suspicious encoded characters

Browse source 
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
This commit is contained in:
Romain 2025-12-04 15:10:05 +01:00 committed by GitHub
parent 0b6438b7c0
commit 4d7d627319
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 804 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

9
docs/content/security/content-length.md
View file

@ -3,7 +3,8 @@ title: "Content-Length"
description: "Enforce strict ContentLength validation in Traefik by streaming or full buffering to prevent truncated or overlong requests and responses. Read the technical documentation."
---
Traefik acts as a streaming proxy. By default, it checks each chunk of data against the `Content-Length` header as it passes it on to the backend or client. This live check blocks truncated or overlong streams without holding the entire message.
Traefik acts as a streaming proxy. By default, it checks each chunk of data against the `Content-Length` header as it passes it on to the backend or client.
This live check blocks truncated or overlong streams without holding the entire message.
If you need Traefik to read and verify the full body before any data moves on, add the [buffering middleware](../middlewares/http/buffering.md):
@ -20,5 +21,7 @@ With buffering enabled, Traefik will:
- Compare the actual byte count to the `Content-Length` header.
- Reject the message if the counts do not match.
!!!warning
Buffering adds overhead. Every request and response is held in full before forwarding, which can increase memory use and latency. Use it when strict content validation is critical to your security posture.
!!! warning
Buffering adds overhead. Every request and response is held in full before forwarding, which can increase memory use and latency.
Use it when strict content validation is critical to your security posture.