Figure out how to securely do keepalive for HTTP requests
lvh opened this issue · comments
Keepalive is a great performance optimization, even for icecap. It's not unreasonable that a user makes many requests to the same HTTP interface; we should be prepared to keep connections open for that.
On the other hand, it isn't necessarily secure by default for our multi-tenant environment; consider e.g. HTTP APIs where a frontend steals authentication headers, and then passes it through to a backend server already-authenticatedly.
I think it will be fine, iff keep-alive is opt-in, but it may be worth checking out if we can have separate keepalive "pools" with http-kit (or some other HTTP client).
This should also involve an integration test, so that we know if this is accidentally done by e.g. switching to a different web server.