FastCGI: 30 Years Old and Still the Better Protocol for Reverse Proxies
5 hours ago
- #Reverse Proxy
- #HTTP Security
- #FastCGI
- FastCGI, released 30 years ago, is a wire protocol alternative to HTTP for reverse proxy-to-backend communication.
- FastCGI avoids HTTP's pitfalls like desync/request smuggling attacks by providing clear message framing since 1996.
- It also solves untrusted header issues by structurally separating client headers (prefix 'HTTP_') from trusted proxy data.
- Popular proxies like Apache, Caddy, nginx, and HAProxy support FastCGI with simple configuration changes.
- FastCGI is usable today but has downsides: no WebSocket support, limited tooling (e.g., curl), and potential performance lag.
- Despite shortcomings, FastCGI remains a secure and practical choice for reverse proxying, avoiding HTTP's vulnerabilities.