RequestId middleware accepts X-Request-Id header from any route

[RopoMen]

What version of Hono are you using?

latest

What runtime/platform is your app running on? (with version if possible)

node

What steps can reproduce the bug?

If requestId middleware is added into Hono application like it is documented over here https://hono.dev/docs/middleware/builtin/request-id it is vulnerable to log tampering because it accepts requestId header X-Request-Id from request made from browser (https://github.com/honojs/hono/blob/15a83b125cae5a772f265ce448974c03efa5e3bc/src/middleware/request-id/request-id.ts#L48) and anyone can provide static requestId which will mess up logs.

What is the expected behavior?

Secure by default.

Usage documentation https://hono.dev/docs/middleware/builtin/request-id should warn about this issue when configured to all routes.

Potentially RequestId middleware configuration options should take path(s) option which are considered as insecure or secure and based on that information trust or untrust given X-Request-Id header.

What do you see instead?

No response

Additional information

No response

[yusukebe]

Hi @RopoMen Thank you for the issue.

@ryuapp What do you think of this?

[ryuapp]

That is expected behavior, but the docs was lacking, we must write the spec in detail on the docs. IMO, changing how headers are retrieved in order to achieve "secure by default" seems like breaking change and not desirable at least for minor and patch versions because request id is for logging purposes, so this is not a critical issue(although this is an issue). However, if a behavior change is made due to a lack of docs, I support the opinion too.

[yusukebe]

I think we can close this issue since the docs https://github.com/honojs/website/pull/689 have been added. Thank you.