Sometimes POST request from client to backend does not contain body

Christian Kolb

1/15/23, 11:15 AM

We run 2 different apps on Heroku. Both have an API written with PHP and Symfony and run through an Apache. One of the frontend clients is written with Vue the other with Angular.

In the API we serialize command and query objects from the POST body. Sometimes this process fails because fields that are needed are missing. We know this through Sentry error monitoring. There we can look into those requests and all of them are missing the body entirely.

We're never been able to reproduce this case.

The issue spans over different endpoints, different browsers, different devices (mobile and desktop) without any common denominator other then the missing request body.

Are there known issues in the network layout, Apache or Heroku which would create that behaviour in an edge case like a very slow connection? Which would lead to a request being forwarded to the backend without the body? Is there any other thing without the application layout which could lead to this?

128

0 + 0

request

heroku

symfony

apache2

anx

1/15/23, 11:32 AM

I would not worry much about a few odd requests coming in that are intentionally crafted to check for request-smuggling-type vulnerabilities. Headers like `Sec-Fetch-*` and `X-Requested-With` might help you spot a common denominator outside of device type and OS.

anx

1/15/23, 11:51 AM

Do you have [NEL](https://www.w3.org/TR/network-error-logging/) setup? If the client gets cut off by Heroku for sending odd requests headers as a result of a bug in the JavaScript application, it might still report the error back to you.

Christian Kolb

1/15/23, 12:09 PM

@anx The Requests are all POST I will check for the headers, thanks for the input. I don't think I have NEL setup. How would I do that with Heroku? What headers would break an requests so that it's still send, but doesn't contain a body?

anx

1/15/23, 12:56 PM

The textbook examples are `Transfer-Encoding: chunked` fun and large headers. I don't think these two are your problem: the defaults in apache and Heroku are reasonable & interoperable in the regard. But do show *example headers* and your *Apache configuration*, maybe there is a clue there.

anx

1/15/23, 12:59 PM

NEL shares report endpoint definition with CSP and the incoming data would likely be parsed by the same software, so if you have Content-Security-Policy headers set that would be the point to setup NEL as well.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Sometimes POST request from client to backend does not contain body

TH: บางครั้งคำขอ POST จากไคลเอนต์ไปยังแบ็กเอนด์ไม่มีเนื้อหา

RO: Uneori, cererea POST de la client la backend nu conține corp

RU: Иногда POST-запрос от клиента к бэкэнду не содержит тела

VI: Đôi khi yêu cầu POST từ máy khách đến chương trình phụ trợ không chứa phần thân

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.