@@ -35,15 +35,28 @@ and what headers your reverse proxy uses to send information::
3535 ['192.0.0.1', '10.0.0.0/8'],
3636
3737 // trust *all* "X-Forwarded-*" headers
38- Request::HEADER_X_FORWARDED_ALL
38+ Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO
3939
4040 // or, if your proxy instead uses the "Forwarded" header
4141 // Request::HEADER_FORWARDED
4242
43- // or, if you're using AWS ELB
43+ // or, if you're using a well-known proxy
4444 // Request::HEADER_X_FORWARDED_AWS_ELB
45+ // Request::HEADER_X_FORWARDED_TRAEFIK
4546 );
4647
48+ .. deprecated :: 5.2
49+
50+ In previous Symfony versions, the above example used ``HEADER_X_FORWARDED_ALL ``
51+ to trust all "X-Forwarded-*" headers, but that constant is deprecated since
52+ Symfony 5.2 in favor of the individual ``HEADER_X_FORWARDED_*`` constants.
53+
54+ .. caution ::
55+
56+ Enabling the ``Request::HEADER_X_FORWARDED_HOST `` option exposes the
57+ application to `HTTP Host header attacks `_. Make sure the proxy really
58+ sends an ``x-forwarded-host `` header.
59+
4760The Request object has several ``Request::HEADER_* `` constants that control exactly
4861*which * headers from your reverse proxy are trusted. The argument is a bit field,
4962so you can also pass your own value (e.g. ``0b00110 ``).
@@ -114,3 +127,4 @@ In this case, you'll need to set the header ``X-Forwarded-Proto`` with the value
114127.. _`security groups` : https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
115128.. _`CloudFront` : https://en.wikipedia.org/wiki/Amazon_CloudFront
116129.. _`CloudFront IP ranges` : https://ip-ranges.amazonaws.com/ip-ranges.json
130+ .. _`HTTP Host header attacks` : https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
0 commit comments