Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The ProxyHeaders middleware is misleading and dangerous #238

Open
vikstrous2 opened this issue Dec 9, 2022 · 0 comments
Open

The ProxyHeaders middleware is misleading and dangerous #238

vikstrous2 opened this issue Dec 9, 2022 · 0 comments
Labels
bug

Comments

@vikstrous2
Copy link

There's no universal standard for what the proxy headers mean or what order IP addresses are in. Having an open source package that makes it look like you can "just add" support for detecting the IP of the client correctly is misleading.

You can learn more about the topic here https://adam-p.ca/blog/2022/03/x-forwarded-for/

It's also dangerous because the particular configuration that I found this used in was incorrectly taking a client controlled header as the "real" ip.

IMO the most correct thing to do is to either split the handler into 10 or so for different proxy configurations or just delete it entirely because it's much easier for the user to look up what their proxy is doing and write the 5 lines of code needed to parse the end user's IP address.
@vikstrous2 vikstrous2 added the bug label Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Gorilla Web Toolkit
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vikstrous2