Boost logo

Boost :

Subject: Re: [boost] [review][beast] Review of Beast starts today : July 1 - July 10
From: Artyom Beilis (artyom.beilis_at_[hidden])
Date: 2017-07-06 20:32:12

> May be there could be more hints for client/server developers.
> E.g. where is the best place / how is the best practice to add
> cookie-handling, Authentication challenges, etc.

Funnily, for someone who actually solved numerous of the issues this
question can easily be rephrased as:

> Now I finally learned how drive a bicycle, lets ask tips for driving semi-trailer.

And this is **the major** problem of the library.

In the CppCMS frameworks the HTTP part is less than 2.5% of the core
code. The rest is the "minor" stuff like cookies, session, url parsing
and much-much more. And note - I'm talking about server part only

Now once you choose to use Beast you'll hit the wall very quickly as
you'll have to do all tricks your own and they will consume most of
your work for example URL decoding, parsing query string, parsing or
generating trivial forms or handling trivial cookies. So instead of
concentrating on your application issues you are going to deal with
1001 small issues that require both experience and knowledge to do
them right.

The biggest problem is actually that vast majority security issues do
not come from HTTP parsing at all, but rather all "minor stuff" [1]
that left out of scope of the Beast.

This question you had written had popped for me the big red flag -
without proper well organized tools that handle the "minor stuff"
Beast users are virtually doomed to writing insecure code. Unlike most
HTTP servers/clients are build with security by design - do safe stuff
by default, Beast lives this ALL to end user.

This part **extremely** concerns me - as somebody who actually
developed both web services and tools to make them secure and aware of
unforgiving nature of WWW.

Artyom Beilis


Boost list run by bdawes at, gregod at, cpdaniel at, john at