From b7adcb16ab4b005e6dcd7d408c0f4e15f12e473a Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Tue, 30 Jun 2026 11:11:27 +0200 Subject: [PATCH] doc: clarify HTTP/1.1 response ordering Co-authored-by: Antoine du Hamel Signed-off-by: Matteo Collina --- SECURITY.md | 8 ++++++++ doc/api/http.md | 10 ++++++++++ 2 files changed, 18 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 8444534c77bd15..e892f06c53d593 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -276,6 +276,14 @@ the community they pose. ### Examples of non-vulnerabilities +#### Malicious protocol peers + +* Node.js treats data from remote network peers as untrusted, and bugs in + parsers or protocol implementations may be security vulnerabilities. +* Node.js treats data order from HTTP/1.1 keep-alive connections as trusted, meaning that a Node.js + client consuming unsolicited or misordered responses within the same HTTP/1.1 connection + reuse lifecycle are generally not considered Node.js vulnerabilities. + #### Malicious Third-Party Modules (CWE-1357) * Code is trusted by Node.js. Therefore any scenario that requires a malicious diff --git a/doc/api/http.md b/doc/api/http.md index 76950b95f8c5de..ac4fa457d942a6 100644 --- a/doc/api/http.md +++ b/doc/api/http.md @@ -70,6 +70,14 @@ over the same connection, in which case the connection will have to be remade for every request and cannot be pooled. The `Agent` will still make the requests to that server, but each one will occur over a new connection. +### Response ordering with connection reuse + +On a reused HTTP/1.1 keep-alive connection, responses are associated with +requests by their order on that connection. HTTP/1.1 keep-alive does not provide +per-request response attribution beyond that ordering. Applications that require +per-request connection isolation can use a separate `Agent`, disable keep-alive, +or pass `agent: false`. + When a connection is closed by the client or the server, it is removed from the pool. Any unused sockets in the pool will be unrefed so as not to keep the Node.js process running when there are no outstanding requests. @@ -109,6 +117,8 @@ http.get({ }); ``` +Use `agent: false` to avoid connection reuse for a request. + ### `new Agent([options])`