UseForwardedHeaders should raise more prominent errors for unknown proxies #58461
Labels
area-middleware
Includes: URL rewrite, redirect, response cache/compression, session, and other general middlesware
Comments
halter73
added
the
area-middleware
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have a general rule that errors that can be caused by a misbehaving client connected to a well-configured and functioning web app should not raise log messages higher than the debug level because it could allow attackers to effectively spam the logs. This is a principle we follow in the
ForwardedHeadersMiddleware. However, this makes it much harder to figure out what's going on when the middleware ignoresX-Forwarded-...headers because the request comes from an "unknown" proxy in development. See #58455 and #57650 for some recent examples of this.The only indication that things are going wrong (other than
HttpRequest.Hostand some other properties not getting set to the expected forwarded values) is the following log:Raising the severity of the log only in development seems like one of the easiest possible fixes, but most of the time this issue only occurs after deploying to a production environment. Another option would be to reject requests containing
X-Forwarded-headers from an unknown source with a 400 status and a description of the issue in the response body even in production, but that seems like a very risky breaking change.I'm not sure what the best solution is, but the current behavior has wasted a lot of people's time debugging.
The text was updated successfully, but these errors were encountered: