Discard X-Forwarded-Host headers

ikus060 · Dec 6, 2022 · 5f86167 · 5f86167
1 parent 8e1a479
commit 5f86167
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -108,6 +108,10 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
+## Next Release - 2.5.4
+
+* Discard `X-Forwarded-Host` headers
+
 ## 2.5.3 (2022-12-05)
 
 * Add support for WTForms v3 to support Debian Bookworm

diff --git a/rdiffweb/rdw_app.py b/rdiffweb/rdw_app.py
@@ -85,7 +85,7 @@
 @cherrypy.tools.currentuser(userobj=lambda username: UserObject.get_user(username))
 @cherrypy.tools.db()
 @cherrypy.tools.enrich_session()
-@cherrypy.tools.proxy(remote='X-Real-IP')
+@cherrypy.tools.proxy(local=None, remote='X-Real-IP')
 @cherrypy.tools.secure_headers()
 class Root(LocationsPage):
     def __init__(self):