Rossen Stoyanchev
parent
64dfa462a6
commit
1403603b05
|
|
@ -1280,14 +1280,17 @@ that proxies can use to provide information about the original request. There ar
|
|||
non-standard headers, too, including `X-Forwarded-Host`, `X-Forwarded-Port`,
|
||||
`X-Forwarded-Proto`, `X-Forwarded-Ssl`, and `X-Forwarded-Prefix`.
|
||||
|
||||
`ForwardedHeaderFilter` is a Servlet filter that modifies the host, port, and scheme of
|
||||
the request, based on `Forwarded` headers, and then removes those headers.
|
||||
`ForwardedHeaderFilter` is a Servlet filter that modifies the request in order to
|
||||
a) change the host, port, and scheme based on `Forwarded` headers, and b) to remove those
|
||||
headers to eliminate further impact. The filter relies on wrapping the request, and
|
||||
therefore it must be ordered ahead of other filters, such as `RequestContextFilter`, that
|
||||
should work with the modified and not the original request.
|
||||
|
||||
There are security considerations for forwarded headers since an application cannot know
|
||||
if the headers were added by a proxy, as intended, or by a malicious client. This is why
|
||||
a proxy at the boundary of trust should be configured to remove untrusted `Forwarded` headers that come
|
||||
from the outside. You can also configure the `ForwardedHeaderFilter` with
|
||||
`removeOnly=true`, in which case it removes but does not use the headers.
|
||||
a proxy at the boundary of trust should be configured to remove untrusted `Forwarded`
|
||||
headers that come from the outside. You can also configure the `ForwardedHeaderFilter`
|
||||
with `removeOnly=true`, in which case it removes but does not use the headers.
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue