-
-
Notifications
You must be signed in to change notification settings - Fork 673
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new requirement: end-user should not be able to give and/or manipulate headers which an application expects/uses from load balancers or proxies #1697
Comments
Something like:
What do you think @elarlang ? |
Can we use something like...
End-users can manipulate those headers anyway, the point is, that this middle-layer should clean up headers with the same name. |
Are there any other security sensitive headers that you want to consider here or only those related to the original IP? If there are other headers then this needs to stay as a separate requirement and we should be more specific maybe. If the only headers we are talking about are those which provide source IP then I think we can merge with the requirement in #1389. |
Not just IP, there are:
Rails has historically struggled with these in certain configurations. Perhaps something like:
|
I was thinking about it more and those (#1389) need to be separate requirements.
|
Requirement: Other pieces/proposals:
|
My modification:
|
One more thing - "relies upon" ... maybe just "uses"? |
Yeah ok. Any other comments @jsulinski ? |
Sounds good to me! Here's another version if you prefer, that resolves the awkwardness of 'which/that these':
|
updated version from #1697 (comment)
I updated PR based on that (097e6fa) |
Both are ok, but what is the key difference?
346 and Origin in web context associates with the From #1481 point of view, it does not matter too much anyway. |
@elarlang let's make it 346 anyway but I accept that this sort of thing is potentially going to become less important going forward |
(PR is updated, #1720) |
updated version from #1697 (comment)
updated version from OWASP#1697 (comment)
Problem to solve: if an application uses HTTP request headers (like X-Forwarded-* headers) from load balancers, proxies etc, then it should be clear that those headers are not given by end user.
Fits to category: V14.5 HTTP Request Header Validation
The text was updated successfully, but these errors were encountered: