Using X-Forwarded-For to check for external request
Opened this issue · 0 comments
Dainii commented
Description
There is a mechanism to prevent external queries to reach the metrics endpoints based on the presence or not of the X-Forwarded-Host
header. Would it be possible to also check the presence of the X-Forwarded-For
header (very often used when an application runs behind a reverse proxy) ?
We do not use the X-Forwarded-Host
anywhere because the Host header is never changed.
Expected Behavior
Deny request when the DISABLE_EXTERNAL_ACCESS
env is set and the X-Forwarded-For
header present in the request.
Actual Behavior
It only checks the presence of the X-Forwarded-Host
header.
Environment
- Operating system: all