HTTP方法可以是“PATCH”吗？在代理等安全使用？ [英] Can the HTTP method "PATCH" be safely used across proxies etc.?

问题描述

假设我的服务器公开了一个基于HTTP的API，该API使用 PATCH 方法rel =nofollow> RFC 5789 。企业防火墙，代理，缓存，家长控制过滤器等背后的客户端（浏览器或其他）是否可能会遇到使用此方法的任何问题？如果是这样，这有多大可能？

Suppose my server exposes an HTTP-based API that uses the PATCH method introduced by RFC 5789. Is it possible that clients (browsers or otherwise) behind corporate firewalls, proxies, caches, parental controls filters and the like will encounter any problems using this method? If so, how likely is this?

鉴于 PATCH 不是原始HTTP规范的一部分，而是介绍后来，我可以想象一些程序会因为无效方法而拒绝这些请求。另一方面，我希望这样的软件只是简单地传递所有内容，并且最多对某些HTTP方法应用一些限制，例如 POST （例如，不缓存其结果）。

Given that PATCH was not part of the original HTTP specs, but introduced later on, I could imagine that some programs will simply reject such requests because of the "invalid" method. On the other hand, I hope that such software simply passes through everything and at most apply some restrictions to certain HTTP methods such as POST (e.g. not caching its results).

请注意，我不会在服务器端或浏览器中询问 PATCH 支持，而只是关于客户端之间的组件和我既不知道也不控制的服务器。此外，对于API来说， PATCH 本身是一个好主意的问题超出了这个问题的范围。

Note that I do not ask about PATCH support on the server side or within the browser, but only about components between client and server that I neither know nor control. Also, the question whether or not PATCH in itself is a good idea for APIs is out of scope for this question.

推荐答案

这个问题的答案是移动目标。随着时间的推移和PATCH变得或多或少变得流行，网络中的系统可能支持也可能不支持它。

The answer to this question is a moving target. As time progresses and PATCH either becomes more or less popular, the systems in the network may or may not support it.

通常，只关心HTTP动词的网络实体将是 OSI级别 3（IP）及以上设备（防火墙，代理）。其中一些是愚蠢的，因为它们不检查OSI 4级（TCP）。其他人聪明，可以执行协议级别的执行。例如，它们将阻止您打开端口80并发送STMP消息。

Generally only the network entities that will care about HTTP verbs will be OSI Level 3 (IP) and up devices (firewalls, proxies). Some of those are 'dumb' in the sense that they do not inspect the OSI Level 4 (TCP). Others are 'smart' and can do protocol-level enforcement. For example, they will prevent you opening port 80 and send STMP messages.

即使设备是智能的，它仍然可以配置为允许或不允许更多不常见的HTTP动词，如PATCH。所以现在我们必须考虑托管设备的组织的安全状况。像星巴克和机场这样开放无线网络的地方可能会非常严苛并且会锁定安全性。与某些公司相同，特别是如果他们处理敏感数据（财务，个人信息）。

Even if a device is 'smart', it still can be configured to allow or not allow more uncommon HTTP verbs like PATCH. So now we must factor in the security posture of the organization hosting the device. Places with open wifi like Starbucks and Airports may be quite draconian and lock down security. Same with some corporations especially if they deal with sensitive data (financial, personal info).

结果是，根据用户的人口统计，PATCH可能会出现问题你没有后备机制。我认为以下域中的受限用户更有可能遇到问题：敏感的公司环境，学校，军事组织。

The upshot is that depending on the demographic for your users, PATCH might be problematic if you do not have a fallback mechanism. I would consider restricted users in the following domains more likely to have issues: sensitive corporate environments, schools, military organizations.

这篇关于HTTP方法可以是“PATCH”吗？在代理等安全使用？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！