fix(@angular/ssr): enforce explicit opt-in for proxy headers#32911
Open
alan-agius4 wants to merge 1 commit intoangular:mainfrom
Open
fix(@angular/ssr): enforce explicit opt-in for proxy headers#32911alan-agius4 wants to merge 1 commit intoangular:mainfrom
alan-agius4 wants to merge 1 commit intoangular:mainfrom
Conversation
angular-robot
Bot
added
detected: breaking change
alan-agius4
force-pushed
the
x-forward-prefix-validation
branch
4 times, most recently
from
812e774 to
8a649a5
Compare
alan-agius4
changed the title
alan-agius4
force-pushed
the
x-forward-prefix-validation
branch
3 times, most recently
from
8de34e7 to
2cf1919
Compare
alan-agius4
force-pushed
the
x-forward-prefix-validation
branch
from
2cf1919 to
fca2679
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements support for trusting and sanitizing proxy headers (X-Forwarded-*) in the Angular SSR engine. It introduces a new configuration option to specify allowed proxy headers, replaces the request cloning/patching logic with a more performant sanitization utility, and enhances the validation of host and prefix headers. Review feedback identifies a critical naming inconsistency between 'trustProxyHeaders' and 'allowedProxyHeaders' across the public API and various modules, a property access error in the Node engine implementation, and a minor optimization for header name normalization.
alan-agius4
force-pushed
the
x-forward-prefix-validation
branch
2 times, most recently
from
50ad11b to
a45cea9
Compare
alan-agius4
added
the
target: major
alan-agius4
added
the
action: review
This commit introduces a secure-by-default model for trusting proxy
headers (`X-Forwarded-*`) in the `@angular/ssr` package. Previously, the
engine relied on complex lazy header patching and regex filters to guard
against spoofed headers. However, implicit decoding behaviors by URL
constructors can render naive regex filtering ineffective against certain
percent-encoded payloads.
To harden the engine against Server-Side Request Forgery (SSRF) and
header-spoofing attacks:
- Introduced the `allowedProxyHeaders` configuration option to
`AngularAppEngineOptions` and `AngularNodeAppEngineOptions`.
- By default (`false`), all incoming `X-Forwarded-*` headers are aggressively
scrubbed unless explicitly whitelisted via `trustProxyHeaders`.
- Replaced the lazy `cloneRequestAndPatchHeaders` utility with a simplified,
eager `sanitizeRequestHeaders` that centralizes the header scrubbing logic.
- Hardened `verifyHostAllowed` to definitively reject parsed hosts that successfully
carry path, search, hash, or auth components, replacing previously fallible
regex filters for stringently checked hosts.
BREAKING CHANGE:
The `@angular/ssr` package now ignores all `X-Forwarded-*` proxy headers by default. If your application relies on these headers (e.g., for resolving absolute URLs, trust proxy, or custom proxy-related logic), you must explicitly allow them using the new `trustProxyHeaders` option in the application server configuration.
Example:
```ts
const engine = new AngularAppEngine({
// Allow all proxy headers
trustProxyHeaders: true,
});
// Or explicitly allow specific headers:
const engine = new AngularAppEngine({
trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-prefix'],
});
```
alan-agius4
force-pushed
the
x-forward-prefix-validation
branch
from
a45cea9 to
a0aa5ba
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit introduces a secure-by-default model for trusting proxy
headers (
X-Forwarded-*) in the@angular/ssrpackage. Previously, theengine relied on complex lazy header patching and regex filters to guard
against spoofed headers. However, implicit decoding behaviors by URL
constructors can render naive regex filtering ineffective against certain
percent-encoded payloads.
To harden the engine against Server-Side Request Forgery (SSRF) and
header-spoofing attacks:
allowedProxyHeadersconfiguration option toAngularAppEngineOptionsandAngularNodeAppEngineOptions.false), all incomingX-Forwarded-*headers are aggressivelyscrubbed unless explicitly whitelisted via
trustProxyHeaders.cloneRequestAndPatchHeadersutility with a simplified,eager
sanitizeRequestHeadersthat centralizes the header scrubbing logic.verifyHostAllowedto definitively reject parsed hosts that successfullycarry path, search, hash, or auth components, replacing previously fallible
regex filters for stringently checked hosts.
BREAKING CHANGE:
The
@angular/ssrpackage now ignores allX-Forwarded-*proxy headers by default. If your application relies on these headers (e.g., for resolving absolute URLs, trust proxy, or custom proxy-related logic), you must explicitly allow them using the newtrustProxyHeadersoption in the application server configuration.Example: