Skip to content

fix: enforce proxy trust boundaries for x-forwarded-for (closes #379)#436

Merged
hman38705 merged 1 commit intosolutions-plug:mainfrom
Dev-Odun-oss:issue-379-proxy-trust
Mar 30, 2026
Merged

fix: enforce proxy trust boundaries for x-forwarded-for (closes #379)#436
hman38705 merged 1 commit intosolutions-plug:mainfrom
Dev-Odun-oss:issue-379-proxy-trust

Conversation

@Dev-Odun-oss
Copy link
Copy Markdown
Contributor

@Dev-Odun-oss Dev-Odun-oss commented Mar 30, 2026

Enforce Trusted Proxy Boundaries for x-forwarded-for Handling

Overview

This PR strengthens request security by enforcing trusted proxy boundaries when handling the x-forwarded-for header.

Description

Currently, the x-forwarded-for header is trusted without validating the source of the request.
This creates a security risk, as malicious clients can spoof IP addresses.
This PR introduces configurable trusted proxy CIDRs and ensures that forwarded headers are only honored when requests originate from trusted sources.

Problem

  • x-forwarded-for is trusted without validation
  • Susceptible to IP spoofing
  • No distinction between direct and proxied requests

Changes

  • Added support for configurable trusted proxy CIDRs
  • Implemented validation to:
    • Trust x-forwarded-for only from known proxy ranges
    • Ignore spoofed headers from untrusted sources
  • Updated request handling logic in:
    • services/api/src/security.rs
    • services/api/src/handlers.rs

Acceptance Criteria

  • Trusted proxy CIDRs are configurable
  • Spoofed headers are ignored for untrusted sources
  • Tests cover both direct and proxied deployment scenarios

Impact

  • Improves security by preventing IP spoofing
  • Ensures accurate client IP detection
  • Supports safe deployment behind reverse proxies

Testing

  • Added tests for:
    • Direct client requests (no proxy)
    • Requests through trusted proxies
    • Requests with spoofed headers from untrusted sources
  • Verified correct IP resolution in all scenarios

Notes

@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented Mar 30, 2026

@jemilahabiodun-oss Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@hman38705 hman38705 merged commit 4ddb0a9 into solutions-plug:main Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Harden client IP extraction for trusted proxy setups

2 participants

@Dev-Odun-oss @hman38705