Migrating from Cowboy 2.16 to 2.17

Cowboy 2.17 fixes a number of security vulnerabilities and improves the security checklist. The checklist is now included in the Hex package for convenience.

Cowboy 2.17 updates Cowlib to 2.18.0. Both applications must be updated as they both contain security fixes.

Cowboy 2.17 requires Erlang/OTP 24.0 or greater.

Features added

  • Potential incompatibility: HTTP/2 now defaults max_concurrent_streams to 100.
  • Potential incompatibility: Websocket now defaults max_frame_size to 1MB.
  • Add the invalid_response_headers option to HTTP/2.
  • Extend invalid_response_headers to responses sent following an early_error stream handler call.
  • Document the max_authority_length option. It limits the length of the authority component, regardless of where that component is found (request line in absolute-form, host header, :authority pseudo-header).
  • Defense-in-depth: Add the max_keys option to cowboy_req functions that parse the query string or form-urlencoded bodies. This new limit is applied in addition to existing length limits. It defaults to 100.
  • Update Cowlib to 2.18.0.

Bugs fixed

  • Defense-in-depth: Cowboy will reject some control characters early such as the NUL byte or CR and LF where they are not expected.
  • Strengthen HTTP/1.1 request parsing. Note that request trailers will now be skipped up to a certain length, instead of triggering an error.

Cowboy 2.17 User Guide

Navigation

Version select

Like my work? Donate!

Donate to Loïc Hoguin because his work on Cowboy, Ranch, Gun and Erlang.mk is fantastic:

Recurring payment options are also available via GitHub Sponsors. These funds are used to cover the recurring expenses like food, dedicated servers or domain names.