HTTP Headers - sgml/signature GitHub Wiki

ETag

etag_support_matrix:
  CouchDB:
    supports_etag: true
    notes: |
      CouchDB supports ETag and If-None-Match headers for documents and attachments.
      ETag support for views is more nuanced—while ETags are generated, conditional
      GETs may not always yield 304 responses due to clustering and view update mechanics.

  PouchDB:
    supports_etag: true
    notes: |
      PouchDB, as a CouchDB-compatible client-side database, supports ETag and
      If-None-Match headers when syncing with remote CouchDB instances.
      It uses these headers to optimize replication and avoid redundant data transfers.

  Laravel:
    supports_etag: true
    notes: |
      Native support via middleware is limited, but packages like `werk365/etagconditionals`
      provide full ETag and If-None-Match handling for APIs.

  Symfony:
    supports_etag: true
    notes: |
      Symfony HTTPFoundation includes support for ETag and conditional responses.
      Controllers can use `$response->setEtag()` and `$request->isNotModified()`.

  Werkzeug:
    supports_etag: true
    notes: |
      Werkzeug includes built-in support for ETag via `Response.set_etag()` and
      conditional handling with `Request.if_none_match`. Commonly used in Flask.

  Rack:
    supports_etag: true
    notes: |
      Rack::ETag middleware automatically sets ETag headers.
      Conditional GETs using If-None-Match are handled by default.

  HTTP::Tiny:
    supports_etag: partial
    notes: |
      HTTP::Tiny is a minimalist HTTP client in Perl’s core. It allows setting and reading
      ETag and If-None-Match headers manually. While it doesn’t manage caching automatically,
      it’s well-suited for scripting conditional requests.

  requests:
    supports_etag: partial
    notes: |
      Python’s requests library allows manual use of If-None-Match and reads ETag headers.
      It does not handle caching or conditional logic automatically—you must manage headers
      and 304 responses explicitly in your code.

  HTTPD (Apache):
    supports_etag: true
    notes: |
      Apache HTTP Server supports ETag headers via `FileETag` directive.
      Conditional requests are handled automatically.

  Nginx:
    supports_etag: true
    notes: |
      Nginx supports ETag headers for static files by default.
      For dynamic content, ETag must be manually set by upstream applications or via modules.

etag_security_notes:
  known_cves:
    - CVE-2003-1418: |
        Apache HTTPD ETag header may expose inode information, which can be used
        to infer file system structure or assist in fingerprinting attacks.
  guidance:
    - Avoid including inode or device metadata in ETag values.
    - Use `FileETag MTime Size` in Apache to mitigate exposure.
    - Be cautious of ETag-based tracking mechanisms in privacy-sensitive applications.

References

• https://www.oreilly.com/openbook/mh/mulmes.htm
• https://www.w3.org/TR/1998/NOTE-HTMLThreading-0105
• https://en.wikibooks.org/wiki/Cascading_Style_Sheets/MHTML_URIs
• https://stackoverflow.com/questions/35018471/