Using X-Forwarded-For to check for external request
Opened this issue · 0 comments
Dainii commented
Description
There is a mechanism to prevent external queries to reach the metrics endpoints based on the presence or not of the X-Forwarded-Host header. Would it be possible to also check the presence of the X-Forwarded-For header (very often used when an application runs behind a reverse proxy) ?
We do not use the X-Forwarded-Host anywhere because the Host header is never changed.
Expected Behavior
Deny request when the DISABLE_EXTERNAL_ACCESSenv is set and the X-Forwarded-For header present in the request.
Actual Behavior
It only checks the presence of the X-Forwarded-Host header.
Environment
- Operating system: all