From 5cd2e28b7872b8cd9b1a949c6909357bab4d67ea Mon Sep 17 00:00:00 2001
From: Maksym <MK@0xp.dk>
Date: Fri, 31 May 2024 13:19:15 +0200
Subject: [PATCH] Update default.conf to include X-Forwarded-Host overwrite as
 default

This prevents X-Forwarded forgery if upstream services trust the headers set by nginx, and downstream clients can set falsified forward headers.
---
 default.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/default.conf b/default.conf
index e328b81..afc1c06 100644
--- a/default.conf
+++ b/default.conf
@@ -16,6 +16,7 @@ server {
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $http_host;
         proxy_set_header X-Forwarded-Proto $scheme;
         # add support for websockets
         proxy_set_header Upgrade $http_upgrade;