Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Normalize more incoming HTTP headers #6

Open
technosophos opened this issue Oct 22, 2020 · 1 comment
Open

Normalize more incoming HTTP headers #6

technosophos opened this issue Oct 22, 2020 · 1 comment

Comments

@technosophos
Copy link
Contributor

Right now, we only remove the following HTTP headers from the ones that are injected into the environment:

  • HTTP_AUTHORIZATION
  • HTTP_CONNECTION

The specification notes that other security-sensitive headers should also be removed. What headers should be removed?
@dominics
Copy link

Proxy

Otherwise attackers can control HTTP_PROXY which is usually automatically read by tools like HTTP clients. This presents a server-side request "forgery"/exfil risk, where the attacking client controls where the server will send unrelated backend requests if it makes any

See httpoxy.org

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@technosophos @dominics