Normalize more incoming HTTP headers

[technosophos]

Right now, we only remove the following HTTP headers from the ones that are injected into the environment:

• HTTP_AUTHORIZATION
• HTTP_CONNECTION

The specification notes that other security-sensitive headers should also be removed. What headers should be removed?

[dominics]

Proxy

Otherwise attackers can control HTTP_PROXY which is usually automatically read by tools like HTTP clients. This presents a server-side request "forgery"/exfil risk, where the attacking client controls where the server will send unrelated backend requests if it makes any

See httpoxy.org