facebook-node-sdk icon indicating copy to clipboard operation
facebook-node-sdk copied to clipboard

Published 20 hours ago verified publisher icon amachang

x-forwarded-host is blindly trusted

Open dantman opened this issue 9 years ago • 0 comments

In BaseFacebook I see 2 methods that blindly do something like headers['x-forwarded-host'] || headers.host.

The x-forwarded-host is not trustworthy, it can only be trusted if you know that there is a reverse proxy directly in front of node that sets it (express has it's own config for this). Otherwise x-forwarded-host can be manipulated to anything by the client.

dantman avatar Aug 20 '14 07:08 dantman