jstpst is sending two Vary: Accept-Encoding headers each request

Submitted by nitori in technology

I don't think it really matters but just wanna put it out. Maybe check either caddy or nginx config for the directive sending the Vary: Accept-Encoding and remove one of them if you want to lol

HEAD / HTTP/1.1
Host: jstpst.net

HTTP/1.1 200 OK
Alt-Svc: h3=":443"; ma=2592000
Cache-Control: max-age=0, must-revalidate, private, s-maxage=10
Content-Security-Policy: default-src 'self'; img-src 'self' data: ; script-src 'self' 'unsafe-inline' 'sha256-KiBJHYgQ3JksGRdlBaZEXVQ0UvSiVF+WF0BRuAzJPtg='; style-src 'self' 'unsafe-inline' 'sha256-5djBAhgU6lT6/IvDqBYV1J+3001Gap43QwbVwQ0EoTQ='
Content-Type: text/html; charset=UTF-8
Date: Tue, 23 Jul 2024 07:31:16 GMT
Expires: Tue, 23 Jul 2024 07:31:16 GMT
Link: </build/images/icons.15414779.svg>; rel="preload",</bundles/bazingajstranslation/js/translator.min.js?aee7f7cac8e57879>; rel="preload",</js/translations/config.js?95e71d595f9f19b9>; rel="preload",</js/translations/en.js?766e1ac7d71f0aad>; rel="preload",</build/runtime.db876f5c.js>; rel="preload"; as="script",</build/19896.6638e802.js>; rel="preload"; as="script",</build/main.7ec49732.js>; rel="preload"; as="script",</build/fonts/Roboto.630767dc.css>; rel="preload"; as="style",</build/core.8dd1d529.css>; rel="preload"; as="style",</build/themes/jst.664e87bc.css>; rel="preload"; as="style"
Referrer-Policy: same-origin
Server: Caddy
Server: nginx/1.24.0
Vary: Accept-Encoding
Vary: Origin
Vary: Accept-Encoding
Vary: Accept-Language
Vary: Cookie
X-Content-Security-Policy: default-src 'self'; img-src 'self' data: ; script-src 'self' 'unsafe-inline' 'sha256-KiBJHYgQ3JksGRdlBaZEXVQ0UvSiVF+WF0BRuAzJPtg='; style-src 'self' 'unsafe-inline' 'sha256-5djBAhgU6lT6/IvDqBYV1J+3001Gap43QwbVwQ0EoTQ='
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
3

Comments

You must log in or register to comment.

emma wrote

might wanna add one or two more just to be safe

5

nitori OP wrote (edited )

also why u no support HTTP/1.0 (which also means no HTTP/0.9) :(

When trying to use http/1.0 and http/0.9 ALPN:

$ openssl s_client -connect jstpst.net:443 -servername jstpst.net -alpn http/1.0
CONNECTED(00000003)
4027744A687F0000:error:0A000460:SSL routines:ssl3_read_bytes:reason(1120):../ssl/record/rec_layer_s3.c:1584:SSL alert number 120
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 327 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

When I fake ALPN to http/1.1:

$ openssl s_client -connect jstpst.net:443 -servername jstpst.net -alpn http/1.1
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = jstpst.net
verify return:1
---
[ssl certs and blah blah blah...]
---
read R BLOCK
GET / HTTP/1.0

HTTP/1.0 200 OK
Alt-Svc: h3=":443"; ma=2592000
Server: Caddy
Date: Tue, 23 Jul 2024 07:38:39 GMT
Content-Length: 0

closed
2