fix(@angular/ssr): introduce trustProxyHeaders option to safely validate and sanitize proxy headers#33031
Open
alan-agius4 wants to merge 1 commit intoangular:21.2.xfrom
Open
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the trustProxyHeaders configuration to AngularAppEngine, allowing for explicit control over which X-Forwarded-* headers are trusted during SSR. It replaces the previous header-patching approach with a more efficient sanitization process and adds a mechanism to deoptimize to CSR when certain proxy headers are present but untrusted. Review feedback suggests that the new VALID_PREFIX_REGEX is overly restrictive regarding dots in path segments and that the warning for unconfigured proxy headers should be adjusted to reduce log noise for default allowed headers.
…ate and sanitize proxy headers
This commit adds the `trustProxyHeaders` option to `AngularAppEngineOptions` and `AngularNodeAppEngineOptions` to configure, validate, and sanitize `X-Forwarded-*` headers.
- When `trustProxyHeaders` is `undefined` (default):
- Allows `X-Forwarded-Host` and `X-Forwarded-Proto`.
- Intercepts `X-Forwarded-Prefix` and triggers a dynamic CSR deoptimization to skip SSR if present.
- Logs an informative message when receiving any other `X-Forwarded-*` headers.
- When `false`:
- Ignores and strips all proxy headers from the request.
- When `true`:
- Trusts all proxy headers.
- When a string array:
- Allows only the proxy headers provided inside the array.
Example:
```ts
const engine = new AngularAppEngine({
// Allow all proxy headers
trustProxyHeaders: true,
});
// Or explicitly allow specific headers:
const engine = new AngularAppEngine({
trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-prefix'],
});
```
alan-agius4
force-pushed
the
x-forward-prefix-validation-patch
branch
from
d22ebae to
e769eae
Compare
alan-agius4
added
the
action: review
alan-agius4
added
the
target: patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…
This commit adds the
trustProxyHeadersoption toAngularAppEngineOptionsandAngularNodeAppEngineOptionsto configure, validate, and sanitizeX-Forwarded-*headers.trustProxyHeadersisundefined(default):X-Forwarded-HostandX-Forwarded-Proto.X-Forwarded-Prefixand triggers a dynamic CSR deoptimization to skip SSR if present.X-Forwarded-*headers.false:true:Example: