[Security Risk] The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. #25751
-
Can someone explain this to me?
I set the logging to debug to have compliance for one of my clients with the event feature: DEBUG [org.keycloak.events] Where is the the security risk here and can this even be set to be overwritten when I want this compliance feature? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 6 replies
-
I think it simply implies that Keycloak may trust either of the headers and the reverse proxy must be sure to override all Some of them are lists of IPs. By default, in the case of |
Beta Was this translation helpful? Give feedback.
I think it simply implies that Keycloak may trust either of the headers and the reverse proxy must be sure to override all
X-Forwarded-*
headers and theForwarded
header before sending the request to the backend, to ensure that the headers are not forged by malicious clients. These headers are used to log (and possibly filter based on the) requests' IP addresses, and as such it may be an issue if they are spoofed.Some of them are lists of IPs. By default, in the case of
X-Forwarded-For
, each reverse proxy will add an IP to the list (i.e., if you have two reverse proxies between the client and the backend, you will have the client's IP and the address of the first reverse proxy in the lis…