New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix PR Add a setting flag to allow optional use of X-Forwarded-Host #2010
Fix PR Add a setting flag to allow optional use of X-Forwarded-Host #2010
Conversation
I'm sorry. I forgot to merge the updates from the main branch. Please wait a moment. |
dda0e67
to
4c02543
Compare
4c02543
to
6b2a4cd
Compare
It's done. Please review it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not the solution we are looking for. For example, this does not account for the forwarded
header.
I think we want something like Rails have, where you can allow values you trust for the host and forwarded host header: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
Hi, @dentarg It's not Ruby, but I referred to Python Django's case. I'm not a Ruby developer, so I chose the simplest way possible. https://docs.djangoproject.com/en/5.0/ref/settings/#use-x-forwarded-host |
Co-authored-by: zzak <zzakscott@gmail.com>
Hi, @dentarg I think you want similar approach to fixing the issue as case in Rails. Unfortunately, I'm not a Ruby expert but rather a security engineer, so I don't have the resources to write code at that level without any issues. I mentioned it in the previous comment, but please also consider the approach used in Django for fixing the issue. However, I can review the code for fixng issue. |
As I've stated, just adding a setting |
Okay, got it. I'll close this ticket. Thank you for your review. |
No description provided.