There is a mechanism to prevent external queries to reach the metrics endpoints based on the presence or not of the X-Forwarded-Host header. Would it be possible to also check the presence of the X-Forwarded-For header (very often used when an application runs behind a reverse proxy) ?
We do not use the X-Forwarded-Host anywhere because the Host header is never changed.
Expected Behavior
Deny request when the DISABLE_EXTERNAL_ACCESSenv is set and the X-Forwarded-For header present in the request.
Actual Behavior
It only checks the presence of the X-Forwarded-Host header.
Description
There is a mechanism to prevent external queries to reach the metrics endpoints based on the presence or not of the
X-Forwarded-Host
header. Would it be possible to also check the presence of theX-Forwarded-For
header (very often used when an application runs behind a reverse proxy) ?We do not use the
X-Forwarded-Host
anywhere because the Host header is never changed.Expected Behavior
Deny request when the
DISABLE_EXTERNAL_ACCESS
env is set and theX-Forwarded-For
header present in the request.Actual Behavior
It only checks the presence of the
X-Forwarded-Host
header.Environment