Security: Protect against slow-loris attacks via WebSockets & gRPC

[samsp-msft]

Web sockets should be disabled by default as they don't have limits on connection time or throughput, so can be used as the basis for a slow-loris attack.

[Tratcher]

User experience: WebSocket (and SDPY) requests should be refused with a specific status code and possibly a message that indicates they are disabled.

I'm not seeing an obvious status code for this purpose. The closest I see is 403 Forbidden:
The request contained valid data and was understood by the server, but the server is refusing action. (Usually used for auth so that might be confusing).

Alternatively we could use a custom status code which would make searching for the error easier. It should be a 5xx error since the issue is on the proxy config, not with the client request. E.g. 567 Upgrade Disabled

[davidfowl]

Is this normal proxy behavior? What about HTTP/2 requests doing gRPC streaming?

[Tratcher]

Also gRPC streaming: #118 (comment)

[davidfowl]

So you turn these on and then what?

[samsp-msft]

Conclusion: We should have a timeout where we look for traffic from the server before closing the connections. Both WS and gRPC support ping/pong keep alive semantics, where the server can send a ping to keep the connection alive.

[Tratcher]

slow-loris wasn't the only consideration. For WebSockets there was concern about even allowing long-running protocols by default since these can consume more resources than a normal request.

For gRPC streaming we also currently disable request body size limits.