Re: [Unbearable] Dealing with header injection through reverse proxies

Hey Willy,

> What I've seen and used was slightly different :
>   1) proxies unconditionally remove the header field
>   2) proxies unconditionally add the new header field even with no
>      certificate
>   3) servers verify that there is exactly one header field
> This way even if step 1 above fails (eg: usual typo in the rule needed
> to strip the header field which nobody notices since nobody injects
> such a field name), step 2 ensures that any injection will be detected
> in step 3.

This is exactly what the current draft suggests and what EKR objects,
because misconfigured proxy that doesn't know about
"X-Client-Certificate" won't execute steps 1-3 for the
"X-Client-Certificate" header.

Best regards,
Piotr Sikora

Received on Tuesday, 18 July 2017 09:20:44 UTC