feat: enhance security against header spoofing #12213
Conversation
…t and improve documentation * Moved inner function `functionName` outside its parent function for better code organization and readability. * Improved JSDoc annotations for `functionName`, detailing parameters, return type, and usage.
…better highlighting * Changed `//` comments to `/** */` for comments that include `@example` annotations. * Ensured proper JSDoc format so that code editors correctly highlight the examples.
… security against header spoofing * Introduced a new `trustDownstreamProxy` option in the `options` object to control whether `X-Forwarded-XXXX` headers should be considered. * This boolean option defaults to `true` to maintain backward compatibility while enhancing security. * When set to `false`, the `X-Forwarded` headers are ignored, reducing the risk of header spoofing.
🦋 Changeset detectedLatest commit: e1c664d The changes in this PR will be included in the next version bump. Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
github-actions
bot
added
the
pkg: astro
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
If this pull request is approved, I will take the initiative to create a corresponding pull request for the |
Does this mean that when Also, there is need of tests. We need to test cases where |
That’s right, all request values must be obtained from the socket and the IncomingMessage object.
Of course, I'll try to create a test suite. |
This pull request introduces a significant enhancement to the security model of the
output: 'server' or 'hybrid'mode in NodeApp. The primary goal is to provide developers with the option to control the trustworthiness of headers from downstream proxies.Changes
Add
trustDownstreamProxyoption to enhance security against header spoofingThis change introduces a new optional parameter called
trustDownstreamProxyto the functionNodeApp.createRequest. This parameter allows developers to control whether the X-Forwarded-XXXX headers should be considered. By default, it is set totrue, maintaining backward compatibility. When set tofalse, the headers are ignored, enhancing security by reducing the risk of header spoofing. This change improves the configuration options available to developers while ensuring that existing functionality remains unchanged.Testing
There was no need to include tests for this change because the new
trustDownstreamProxyoption is optional and defaults totrue, ensuring that the existing behavior of the function remains unchanged. This change focuses on enhancing configuration and security without altering the current logic of the code.Docs
N/A: This change primarily impacts developers and maintainers of the project. The new
trustDownstreamProxyoption has been documented directly in the code using JSDoc comments. While there isn't separate user-facing documentation, the inline comments provide clear guidance on how to use this option and its purpose within the existing codebase.