proxyAuth: add header spoofing note

2022-04-26 14:59:38 -07:00
parent 67d29dbad8
commit 1b34a3e599
1 changed files with 1 additions and 1 deletions
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -308,8 +308,8 @@ server {
    add_header Cache-Control no-cache;
    add_header Set-Cookie $auth_cookie;

+    # To prevent header spoofing from a client, these variables must always be set (or removed with '') for all proxyAuth routes
    proxy_set_header X-App-ID "<%= proxyAuth.id %>";
-
    proxy_set_header X-Remote-User $user;
    proxy_set_header X-Remote-Email $email;
    proxy_set_header X-Remote-Name $name;