Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Fowarded header (RFC 7239) #2237

Open
Kludex opened this issue Jan 29, 2024 Discussed in #2236 · 5 comments
Open

Add support for Fowarded header (RFC 7239) #2237

Kludex opened this issue Jan 29, 2024 Discussed in #2236 · 5 comments

Comments

@Kludex
Copy link
Member

Kludex commented Jan 29, 2024

Discussed in #2236

Originally posted by nhairs January 28, 2024
We should probably support the Forwarded header which was standardised in RFC 7239.

One of the benefits of this header over X-Forwarded-* headers is that it supports including the port of the client rather than just the address.

See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded

Important

  • We're using Polar.sh so you can upvote and help fund this issue.
  • We receive the funding once the issue is completed & confirmed by you.
  • Thank you in advance for helping prioritize & fund our backlog.
Fund with Polar
@Kludex
Copy link
Member Author

Kludex commented Feb 10, 2024

@Kludex
Copy link
Member Author

Kludex commented Feb 10, 2024

@nhairs Do you have any proposal on how we should implement this?

Can we have the X-Forwarded-* and Forwarded at the same time?

@nhairs
Copy link
Contributor

nhairs commented Feb 10, 2024

Can we have the X-Forwarded-* and Forwarded at the same time?

Per the code comments I left in my open PR, I initially thought this was the case. i.e. use the official headers if available otherwise fallback to the x-forwarded headers. But I suspect that such behaviour might introduce vulnerabilities into user's applications. It might be better to take a PEP20 "Explicit is better than implicit" approach which leads me to...

@nhairs Do you have any proposal on how we should implement this?

My gut feeling is that we're better off making users explicitly choose which headers they want to extract info from. Trying to support all of them from the commandline seems like a lot of work though. What about supporting X-Real-IP headers?

Which leads to my suggestion on #2231:

@Kludex
Copy link
Member Author

Kludex commented Sep 27, 2024

Makes sense to be explicit on what is supported.

@Kludex
Copy link
Member Author

Kludex commented Sep 28, 2024

Maybe we can check how others are doing it? Are we going to pioneer this "choices"?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants