Skip to content

How to handle host headers #753

New issue
New issue
Open
Open
How to handle host headers#753
Labels
enhancementNew feature or requestquestionFurther information is requested
@vicb

Description

@vicb
vicb
opened on Feb 26, 2025

ref/discussion: see #752

When OpenNext is behind a reverse proxy (i.e. aws wrappers) the host can be retrieved from header["x-forwarded-host"].
For Node, it depends how the infra is setup (behind a RP or not).

We also have this:

opennextjs-aws/packages/open-next/src/core/requestHandler.ts

Lines 46 to 48 in e48951f

if (initialHeaders["x-forwarded-host"]) {
initialHeaders.host = initialHeaders["x-forwarded-host"];
}

header["x-forwarded-host"] should not be trusted if not behind a reverse proxy as it can be forged.

We should figure out the best way to configure this.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestquestionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions