Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

X-Forwarded-Host may contain commas #371

insom opened this issue May 30, 2013 · 3 comments


None yet
4 participants
Copy link

commented May 30, 2013


At work, we recently switched to a set up with an Apache mod_proxy at the edge of our network and then another mod_proxy local to the machine one of our applications is hosted on. This lead to us getting this header back from a Flask app:


And we traced this back to the X-Forwarded-Host header which, when using two Apache mod_proxy instances, can be comma separated. The Django guys had this 5 years ago: but their solution was to remove support for trusting this header.

In our app we just used RequestHeader unset X-Forwarded-Host in Apache as a work around, but the default behaviour in Werkzeug could probably be improved to just use the first entry if it's comma separated.



This comment has been minimized.

Copy link

commented May 30, 2013

Should this be the job of werkzeug.contrib.fixers.ProxyFix? [edit] It does appear to already process this header.


This comment has been minimized.

Copy link

commented May 30, 2013

I don't think the provided builtin fixers should sacrifice overall performance to cover all edge cases. Writing own fixers to cover the own cases is usually easy enough and makes for better performance too.

@mitsuhiko mitsuhiko closed this in 955174d May 31, 2013


This comment has been minimized.

Copy link

commented May 31, 2013

I think this makes sense to fix :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.