fix(@angular/ssr): enforce explicit opt-in for proxy headers#32911
Draft
alan-agius4 wants to merge 1 commit intoangular:mainfrom
Draft
fix(@angular/ssr): enforce explicit opt-in for proxy headers#32911alan-agius4 wants to merge 1 commit intoangular:mainfrom
alan-agius4 wants to merge 1 commit intoangular:mainfrom
Conversation
angular-robot
bot
added
detected: breaking change
alan-agius4
force-pushed
the
x-forward-prefix-validation
branch
4 times, most recently
from
812e774 to
8a649a5
Compare
alan-agius4
changed the title
alan-agius4
force-pushed
the
x-forward-prefix-validation
branch
2 times, most recently
from
5f9bb14 to
8de34e7
Compare
This commit introduces a secure-by-default model for trusting proxy
headers (`X-Forwarded-*`) in the `@angular/ssr` package. Previously, the
engine relied on complex lazy header patching and regex filters to guard
against spoofed headers. However, implicit decoding behaviors by URL
constructors can render naive regex filtering ineffective against certain
percent-encoded payloads.
To harden the engine against Server-Side Request Forgery (SSRF) and
header-spoofing attacks:
- Introduced the `allowedProxyHeaders` configuration option to
`AngularAppEngineOptions` and `AngularNodeAppEngineOptions`.
- By default (`false`), all incoming `X-Forwarded-*` headers are aggressively
scrubbed unless explicitly whitelisted via `allowedProxyHeaders`.
- Replaced the lazy `cloneRequestAndPatchHeaders` utility with a simplified,
eager `sanitizeRequestHeaders` that centralizes the header scrubbing logic.
- Hardened `verifyHostAllowed` to definitively reject parsed hosts that successfully
carry path, search, hash, or auth components, replacing previously fallible
regex filters for stringently checked hosts.
BREAKING CHANGE:
The `@angular/ssr` package now ignores all `X-Forwarded-*` proxy headers by default. If your application relies on these headers (e.g., for resolving absolute URLs, trust proxy, or custom proxy-related logic), you must explicitly allow them using the new `allowedProxyHeaders` option in the application server configuration.
Example:
```ts
const engine = new AngularAppEngine({
// Allow all proxy headers
allowedProxyHeaders: true,
});
// Or explicitly allow specific headers:
const engine = new AngularAppEngine({
allowedProxyHeaders: ['x-forwarded-host', 'x-forwarded-prefix'],
});
```
alan-agius4
force-pushed
the
x-forward-prefix-validation
branch
from
8de34e7 to
2cf1919
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit introduces a secure-by-default model for trusting proxy headers (
X-Forwarded-*) in the@angular/ssrpackage. Previously, the engine relied on complex lazy header patching and regex filters to guard against spoofed headers. However, implicit decoding behaviors by URL constructors can render naive regex filtering ineffective against certain percent-encoded payloads.To harden the engine against Server-Side Request Forgery (SSRF) and header-spoofing attacks:
allowedProxyHeadersconfiguration option toAngularAppEngineOptionsandAngularNodeAppEngineOptions.false), all incomingX-Forwarded-*headers are aggressively scrubbed unless explicitly whitelisted viaallowedProxyHeaders.cloneRequestAndPatchHeadersutility with a simplified, eagersanitizeRequestHeadersthat centralizes the header scrubbing logic.verifyHostAllowedto definitively reject parsed hosts that successfully carry path, search, hash, or auth components, replacing previously fallible regex filters for stringently checked hosts.BREAKING CHANGE:
The
@angular/ssrpackage now ignores allX-Forwarded-*proxy headers by default. If your application relies on these headers (e.g., for resolving absolute URLs, trust proxy, or custom proxy-related logic), you must explicitly allow them using the newallowedProxyHeadersoption in the application server configuration.Example: