Skip to content

fix(@angular/ssr): support all X-Forwarded-* headers when trustProxyHeaders is true#33170

Merged
alan-agius4 merged 2 commits into
angular:mainfrom
alan-agius4:proxy-headers
May 13, 2026
Merged

fix(@angular/ssr): support all X-Forwarded-* headers when trustProxyHeaders is true#33170
alan-agius4 merged 2 commits into
angular:mainfrom
alan-agius4:proxy-headers

Conversation

@alan-agius4
Copy link
Copy Markdown
Collaborator

@alan-agius4 alan-agius4 commented May 12, 2026

Previously, setting trustProxyHeaders: true only allowed a predefined set of common proxy headers (such as x-forwarded-for and x-forwarded-host). This resulted in warning logs when requests contained other valid proxy headers like x-forwarded-client-cert or x-forwarded-email.

Closes #33169

@alan-agius4 alan-agius4 force-pushed the proxy-headers branch 2 times, most recently from 5d7dfa1 to dd9e29e Compare May 12, 2026 13:19
@alan-agius4 alan-agius4 requested a review from dgp1130 May 12, 2026 13:20
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: patch This PR is targeted for the next patch release labels May 12, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the proxy header validation logic in the Angular SSR package. It replaces the fixed list of X-Forwarded-* headers with a wildcard sentinel string (ɵ*) when trustProxyHeaders is enabled, effectively allowing all proxy headers to be trusted. The corresponding tests were updated to use the normalizeTrustProxyHeaders utility and verify that additional headers are now correctly handled. I have no feedback to provide.

@alan-agius4 alan-agius4 added target: rc This PR is targeted for the next release-candidate and removed target: patch This PR is targeted for the next patch release labels May 12, 2026
@alan-agius4
fix(@angular/ssr): support all X-Forwarded-* headers when trustProxyH…
0aeebba 
…eaders is true

Previously, setting `trustProxyHeaders: true` only allowed a predefined set of common proxy headers (such as `x-forwarded-for` and `x-forwarded-host`). This resulted in warning logs when requests contained other valid proxy headers like `x-forwarded-client-cert` or `x-forwarded-email`.

Closes angular#33169
dgp1130
dgp1130 approved these changes May 12, 2026
View reviewed changes
Comment thread packages/angular/ssr/src/utils/validation.ts Outdated
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels May 13, 2026
@alan-agius4 alan-agius4 merged commit b75423d into angular:main May 13, 2026
62 of 63 checks passed
@alan-agius4 alan-agius4 deleted the proxy-headers branch May 13, 2026 10:31
@alan-agius4
Copy link
Copy Markdown
Collaborator Author

alan-agius4 commented May 13, 2026

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgp1130 dgp1130 dgp1130 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: @angular/ssr target: rc This PR is targeted for the next release-candidate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

trustProxyHeaders: true does not seems to work as expected

2 participants

@alan-agius4 @dgp1130