testcookie_deny_keepalive
The 'testcookie_deny_keepalive' directive disables keep-alive connections for requests that fail the test cookie challenge.
Description
The 'testcookie_deny_keepalive' directive is part of the NGINX testcookie robot mitigation module and is designed to enhance security by preventing persistent connections (keep-alive) for clients that do not successfully complete the cookie validation challenge. This directive is particularly useful for mitigating automated bot traffic that may bypass normal request-response cycles expected from legitimate users.
When this directive is enabled by setting it to 'on', any HTTP requests from clients that fail the cookie test will be denied the usage of keep-alive connections. This means that instead of reusing a single TCP connection for multiple HTTP requests, the server will close the connection after each response. This behavior can significantly reduce the efficiency of bots that rely on rapid succession of requests without re-establishing connections, thereby slowing down their attempts to scrape or attack web resources.
Config Example
http {
server {
location / {
testcookie on;
testcookie_deny_keepalive on;
testcookie_session $remote_addr;
testcookie_max_attempts 5;
testcookie_fallback /error;
}
}
}Ensure that the 'testcookie' directive is enabled for the 'testcookie_deny_keepalive' directive to take effect.
Be cautious when using 'testcookie_deny_keepalive' in performance-sensitive environments, as it can increase resource consumption by closing connections frequently.