Skip to content

domeq/nextjs-post-handling-reproduction

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
pages
pages
 
 
public
public
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
next.config.js
next.config.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Demo of how Next app opens itself for uncacheable POST requests if getServerSideProps is used

What to do to test?

  1. Run npm build && npm start
  2. Verify how a 'static' route behaves:
    • curl -s -I http://localhost:3000 correctly returns HTTP/1.1 200 OK along with content
    • curl -s -I -X POST http://localhost:3000 correctly returns HTTP/1.1 405 Method Not Allowed
  3. Verify how a 'dynamic' route (route that implements getServerSideProps) behaves:
    • curl -s -I http://localhost:3000/dynamic correctly returns HTTP/1.1 200 OK along with content
    • curl -s -I -X POST http://localhost:3000/dynamic incorrectly returns HTTP/1.1 200 OK along with content

What does it mean?

If you have any reverse-proxy caching service e.g. Cloudfront/Cloudflare/Fastly/Varnish POST requests are always passed to the origin (unless configured otherwise). This opens your site for a trivial attack that in the best case only increases your bills, in the worst cases takes overloads the site and takes it down.

getServerSideProps is a function designed to be used for data fetching on server-side - it should have nothing to do with allowing POST requests reaching the backend.

About

Demo of how Next app opens itself for uncacheable POST requests if getServerSideProps is used

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages