Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,14 @@ the community they pose.

### Examples of non-vulnerabilities

#### Malicious protocol peers

* Node.js treats data from remote network peers as untrusted, and bugs in
parsers or protocol implementations may be security vulnerabilities.
* Node.js treats data order from HTTP/1.1 keep-alive connections as trusted, meaning that a Node.js
client consuming unsolicited or misordered responses within the same HTTP/1.1 connection
reuse lifecycle are generally not considered Node.js vulnerabilities.

#### Malicious Third-Party Modules (CWE-1357)

* Code is trusted by Node.js. Therefore any scenario that requires a malicious
Expand Down
10 changes: 10 additions & 0 deletions doc/api/http.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,14 @@ over the same connection, in which case the connection will have to be
remade for every request and cannot be pooled. The `Agent` will still make
the requests to that server, but each one will occur over a new connection.

### Response ordering with connection reuse

On a reused HTTP/1.1 keep-alive connection, responses are associated with
requests by their order on that connection. HTTP/1.1 keep-alive does not provide
per-request response attribution beyond that ordering. Applications that require
per-request connection isolation can use a separate `Agent`, disable keep-alive,
or pass `agent: false`.

When a connection is closed by the client or the server, it is removed
from the pool. Any unused sockets in the pool will be unrefed so as not
to keep the Node.js process running when there are no outstanding requests.
Expand Down Expand Up @@ -109,6 +117,8 @@ http.get({
});
```

Use `agent: false` to avoid connection reuse for a request.

### `new Agent([options])`

<!-- YAML
Expand Down
Loading