Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

connect session.js parses x-forwarded-proto wrong #733

Closed
azylman opened this Issue · 1 comment

2 participants

Alex Zylman TJ Holowaychuk
Alex Zylman

Here's the line where you parse x-forwarded-proto: https://github.com/senchalabs/connect/blob/master/lib/middleware/session.js#L252

Basically, you check that it equals "https". However, if the request needs to go through multiple proxies it's common practice to append the protocols as you go through proxies, e.g. "https,http". This is what node-http-proxy does: https://github.com/nodejitsu/node-http-proxy/blob/master/lib/node-http-proxy/http-proxy.js#L154

You can also see this behavior listed in Wikipedia for, at least, X-Forwarded-For: http://en.wikipedia.org/wiki/X-Forwarded-For#Format

So you should probably split on comma and check that the first element in the resulting array is 'https' instead

TJ Holowaychuk
Owner
tj commented

that's mentioning X-Forwarded-For only, I've never seen this outside of node-http-proxy, but the split certainly wouldn't hurt

TJ Holowaychuk tj closed this in 7bcf285
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.