Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Reverse proxy handling does not handle X-Forwarded-Host with comma separated values #2370
This is a follow-up to issue #2366, where X-Forwarded-Host was fixed to read a string instead of array when running on Owin.
After some further real-life testing, it turns out that while the value is only a single string, it may actually contain a comma separated list of values.
There's no clear specification of this, since the header is non-standard, but in practice some proxies will pass multiple hosts separated by comma. For example:
The logic for handling this header should probably be:
An example of apache generating a comma separated header, when the proxy is behind another proxy: