`Forwarded`, `X-Forwarded-*` headers are trusted by default.

Question

`Forwarded`, `X-Forwarded-*` headers are trusted by default.

damooo opened this issue 7 months ago · comments

Description

Currently server trust Forwarded and X-Forwrded-* headers by default when reconstructing an uri. That can be security issue when setting with reverse proxy. For example python modwsgi provides config trusted_proxy_headers to explicitly enable them.

See also : pallets/werkzeug#609

Joachim Van Herwegen · Answer 1 · Thu Nov 09 2023 16:40:50 GMT+0800 (China Standard Time)

While it would be good to have settings for that, what actually is the security risk in the case of the server?

దామోదర · Answer 2 · Thu Nov 09 2023 16:47:27 GMT+0800 (China Standard Time)

In some setups, someone can set arbitrary headers, and mislead the server to reconstruct different uri than what it is supposed to be.