You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tapestry.apache.org by "Nicolas Bouillon (JIRA)" <ji...@apache.org> on 2013/03/16 11:10:13 UTC

[jira] [Commented] (TAP5-2058) Support X-Forwarded-Proto to identify a Request secured (https)

    [ https://issues.apache.org/jira/browse/TAP5-2058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13604186#comment-13604186 ] 

Nicolas Bouillon commented on TAP5-2058:
----------------------------------------

I think you should trust this header only if request.remoteHost is a trusted proxy. 
The list of trusted proxy could be set by default to all known private network, and should be overridable by configuration.

See for example https://code.google.com/p/xebia-france/wiki/XForwardedFilter 

                
> Support X-Forwarded-Proto to identify a Request secured (https)
> ---------------------------------------------------------------
>
>                 Key: TAP5-2058
>                 URL: https://issues.apache.org/jira/browse/TAP5-2058
>             Project: Tapestry 5
>          Issue Type: Improvement
>          Components: tapestry-core
>            Reporter: Massimo Lusetti
>            Assignee: Massimo Lusetti
>             Fix For: 5.4
>
>
> The X-Forwarded-Proto is the de facto standard header used by reverse proxies to tell the original Request was secured or not with HTTPS. It can therefore be used to recognize the Request as secured.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira