From 1b34a3e599e819bba3b6b736ecdc60b53c836fb1 Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Tue, 26 Apr 2022 14:59:38 -0700
Subject: [PATCH] proxyAuth: add header spoofing note

---
 src/nginxconfig.ejs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index c6ea822f0..e222300e4 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -308,8 +308,8 @@ server {
     add_header Cache-Control no-cache;
     add_header Set-Cookie $auth_cookie;
 
+    # To prevent header spoofing from a client, these variables must always be set (or removed with '') for all proxyAuth routes
     proxy_set_header X-App-ID "<%= proxyAuth.id %>";
-
     proxy_set_header X-Remote-User $user;
     proxy_set_header X-Remote-Email $email;
     proxy_set_header X-Remote-Name $name;