You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The processing of the X-Forwarded-Proto header results in redirection to the injected protocol. While this scenario may have limited impact, improper handling of such headers could result in unpredictable security risks, such as bypass of security mechanisms or confusion in handling TLS.
GET /portal HTTP/2Host: portal.caddysecurity.networkX-Forwarded-Proto: evil_protocolContent-Length: 2
To address this issue, do not rely on the X-Forwarded-Proto header. If it is required, validate the value of the X-Forwarded-Proto header against an allowlist of accepted protocols (e.g., HTTP/HTTPS) and reject unexpected values.
More information about our Caddy Security public disclosure:
Severity: Low
The processing of the X-Forwarded-Proto header results in redirection to the injected protocol. While this scenario may have limited impact, improper handling of such headers could result in unpredictable security risks, such as bypass of security mechanisms or confusion in handling TLS.
To address this issue, do not rely on the X-Forwarded-Proto header. If it is required, validate the value of the X-Forwarded-Proto header against an allowlist of accepted protocols (e.g., HTTP/HTTPS) and reject unexpected values.
More information about our Caddy Security public disclosure:
The text was updated successfully, but these errors were encountered: