dev-sec
Update/Questionable control 7
Control 7 (Control simultaneous connections) expects a limit_conn with a value of 5. https://github.com/dev-sec/nginx-baseline/blob/b54b03c48592c7da58f6532d59feb3ec03b2cf3c/controls/nginx_spec.rb#L184-L194
Modern web browsers supports 6 (or more) connections per hostname, see the table on https://developer.pushtechnology.com/cloud/latest/manual/html/designguide/solution/support/connection_limitations.html#connection_limitations__conn_ie and the overview on http://www.browserscope.org/?category=network&v=top.
I'm wondering on what basis 5 was chosen?
With modern browsers the the limit of 5 is exceeded with ease. The server will return an error in reply to a request (which might result in a broken site).
With the limit_conn_zone $binary_remote_addr zone=default:10m; the errors might occur more frequently given the use of proxy-servers.
Can you elaborate whether the value of 5 is still the correct value taken into account modern browsers and the use of proxy-servers.
