Skip to content

Refactor Heartbeat HTTP communication to be more WAF friendly #23217

New issue
New issue
Closed
Bug
#23225
Closed
Refactor Heartbeat HTTP communication to be more WAF friendly#23217
Bug
#23225
Labels
Impact: LowSeverity: Minor
@knoobie

Description

@knoobie
knoobie
opened on Jan 14, 2026

Describe your motivation

Currently the heartbeat used by Vaadin Flow is using text/plain as content type - which is disregarded because it makes it harder for WAFs to guess the correct content. Some WAFs even block it by default or print a warning... alarming the SOC or other teams..

See e.g. https://blog.sicuranext.com/why-text-plain-is-evil-for-web-application-firewall-and-input-validation/

Describe the solution you'd like

  • remove content type (there is no body anyway)
  • Optional: return 204 (you also don't send stuff back)

Describe alternatives you've considered

  • Allow text/plain in WAF
  • Ignore problems
  • Tell your ops: don't worry.. its normal

Related to #17728

Metadata

Metadata

Assignees

No one assigned

    Labels

    Impact: LowSeverity: Minor

    Type

    Bug

    Projects

    Vaadin Flow bugs & maintenance (Vaadin 10+)

    Status

    ✅ Closed
    Vaadin Flow | Hilla | Kits ongoing work

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions