Security Topic // Proxy Headers Trust Issue // Unconditional Trust Of X-Fowarded Headers

[alenbhclynpblc]

Description

Application has an X-Forwarded-For (and various names) detection but there is no any 'trusted proxy' setting. This will be a security issue, when an attacker sends non-owned ip addresses.

This can be checked with an middleware but developers (who don't know this types of attack vectors) will use this function without any doubt, framework can force to use an method (e.g. 'resolveProxyHeaders(true)') for activating and forcing the developer to read notices.

For example you can check Symfony Framework (PHP): http://symfony.com/doc/current/components/http_foundation/trusting_proxies.html

If you want i can share more example frameworks which have this feature.

Checklist

• [ X ] Dependencies installed
• [ X ] No typos
• [ X ] Searched existing issues and docs

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.