`Forwarded`, `X-Forwarded-*` headers are trusted by default.
damooo opened this issue · comments
దామోదర commented
Description
Currently server trust Forwarded
and X-Forwrded-*
headers by default when reconstructing an uri. That can be security issue when setting with reverse proxy. For example python modwsgi provides config trusted_proxy_headers
to explicitly enable them.
See also : pallets/werkzeug#609
Joachim Van Herwegen commented
While it would be good to have settings for that, what actually is the security risk in the case of the server?
దామోదర commented
In some setups, someone can set arbitrary headers, and mislead the server to reconstruct different uri than what it is supposed to be.