Why are clients allowed to spoof the X-Forwarded-Port header?

mtlynch · December 1, 2021, 12:52am

I was debugging some issues with proxy headers in my app, and I stumbled across this snippet in the runtime environment docs:

X-Forwarded-Port
Original connection port: This header may be set by the client [emphasis added] and should denote the port that the client set out to connect to.

I tested it and confirmed that the client can indeed override the X-Forwarded-Port that the fly edge proxy normally populates.

Is this behavior intentional?

I can’t understand the purpose of it. The edge proxy knows what port the client connected to, right? At best, the client is redundantly telling the server information it already knows. At worst, the client is sending an incorrect X-Forwarded-Port value that doesn’t match the port it actually connected to. It seems like it increases the chances of a security vulnerability in the backend app, as it would be easy for an app to treat X-Forwarded-Port as a non-spoofable header.

kurt · December 1, 2021, 10:04pm

The quick answer is, it’s somewhat common to run Fly apps behind a CDN of some kind. The x-forwarded- headers behave differently, though. x-forwarded-for supports appending IPs to the previous header. The others don’t.

The behavior is intentional but it’s not ideal.

mtlynch · December 1, 2021, 10:23pm

Got it, thanks!

Topic		Replies	Views
Fly-Forwarded-Port missing Questions / Help	3	217	April 16, 2022
Does Fly proxy strip X-Forwarded-Proto header from incoming requests? Questions / Help	1	91	February 8, 2024
Firewall Whitelist Questions / Help	6	1114	May 1, 2023
Recommended setting for `trust proxy` on express Questions / Help	5	4470	November 14, 2022
ASP.NET Core unable to use Forwarded Headers Questions / Help	4	4234	April 23, 2022

Why are clients allowed to spoof the X-Forwarded-Port header?

Related Topics