@@ -35,15 +35,22 @@ and what headers your reverse proxy uses to send information::
3535 ['192.0.0.1', '10.0.0.0/8'],
3636
3737 // trust *all* "X-Forwarded-*" headers
38- Request::HEADER_X_FORWARDED_ALL
38+ Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO
3939
4040 // or, if your proxy instead uses the "Forwarded" header
4141 // Request::HEADER_FORWARDED
4242
43- // or, if you're using AWS ELB
43+ // or, if you're using a wellknown proxy
4444 // Request::HEADER_X_FORWARDED_AWS_ELB
45+ // Request::HEADER_X_FORWARDED_TRAEFIK
4546 );
4647
48+ .. caution ::
49+
50+ Enabling the ``Request::HEADER_X_FORWARDED_HOST `` option exposes the
51+ application to "`HTTP Host header attacks `_". Make sure the proxy really
52+ send a ``x-forwarded-host `` header.
53+
4754The Request object has several ``Request::HEADER_* `` constants that control exactly
4855*which * headers from your reverse proxy are trusted. The argument is a bit field,
4956so you can also pass your own value (e.g. ``0b00110 ``).
@@ -114,3 +121,4 @@ In this case, you'll need to set the header ``X-Forwarded-Proto`` with the value
114121.. _`security groups` : https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
115122.. _`CloudFront` : https://en.wikipedia.org/wiki/Amazon_CloudFront
116123.. _`CloudFront IP ranges` : https://ip-ranges.amazonaws.com/ip-ranges.json
124+ .. _`HTTP Host header attacks` : https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
0 commit comments