Closed Arisstath closed 3 years ago
It seems that from https://github.com/perwendel/spark/issues/320 Spark blindly trusts HTTP headers that can be spoofed, with no way to disable this behavior.
The newly introduced method Spark.trustForwardHeaders allows you to specify if you want to use jetty's ForwardedRequestCustomizer (https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/server/ForwardedRequestCustomizer.html)
Spark.trustForwardHeaders
I made some modifications to maintain backwards compatibility and renamed some methods. Thanks for contributing.
It seems that from https://github.com/perwendel/spark/issues/320 Spark blindly trusts HTTP headers that can be spoofed, with no way to disable this behavior.
The newly introduced method
Spark.trustForwardHeaders
allows you to specify if you want to use jetty's ForwardedRequestCustomizer (https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/server/ForwardedRequestCustomizer.html)