Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
X-Forwarded-Host may contain commas #371
At work, we recently switched to a set up with an Apache mod_proxy at the edge of our network and then another mod_proxy local to the machine one of our applications is hosted on. This lead to us getting this header back from a Flask app:
And we traced this back to the X-Forwarded-Host header which, when using two Apache mod_proxy instances, can be comma separated. The Django guys had this 5 years ago: https://code.djangoproject.com/ticket/9064 but their solution was to remove support for trusting this header.
In our app we just used