Releases: suin/ishi
Releases · suin/ishi
Add X-Forwarded-Host Header
Ishi now adds X-Forwarded-Host header into requests. The header describes host name where users access. The host names are combination of IP address and port number like 192.168.0.10:8000. So backend applications can easily determine the original host names.
For example, PHP applications can get X-Forwarded-Host header from $_SERVER:
$originalHostname = $_SERVER['HTTP_X_FORWARDED_HOST'];
// this will be LAN IP address like 192.168.0.10:8000
// Also, you could be rewrite `HTTP_HOST` with `HTTP_X_FORWARDED_HOST`.
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'] ?? $_SERVER['HTTP_HOST']; // PHP7 style
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'] ? $_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER['HTTP_HOST']; // PHP5 styleWARNING
Treating X-Forwarded-Host header should be careful. Sometimes the header causes exploits since attackers can easily spoof it. Especially in production, It is recommended that using the header is disabled.
if ($_ENV['environment'] === 'development') {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'] ?? $_SERVER['HTTP_HOST'];
}If you used Symfony family, Trusting Proxies would also be good choice.
Related Issues