Comments (3)
Reference for myself: https://systemoverlord.com/2020/03/25/security-101-x-forwarded-for-vs-forwarded-vs-proxy.html
from uvicorn.
@nhairs Do you have any proposal on how we should implement this?
Can we have the X-Forwarded-*
and Forwarded
at the same time?
from uvicorn.
Can we have the
X-Forwarded-*
andForwarded
at the same time?
Per the code comments I left in my open PR, I initially thought this was the case. i.e. use the official headers if available otherwise fallback to the x-forwarded headers. But I suspect that such behaviour might introduce vulnerabilities into user's applications. It might be better to take a PEP20 "Explicit is better than implicit" approach which leads me to...
@nhairs Do you have any proposal on how we should implement this?
My gut feeling is that we're better off making users explicitly choose which headers they want to extract info from. Trying to support all of them from the commandline seems like a lot of work though. What about supporting X-Real-IP
headers?
Which leads to my suggestion on #2231:
from uvicorn.
Related Issues (20)
- reload doesn't work from programmatic launch (asyncio)
- 16,000 simultaneous request with 16 workers HOT 3
- `--reload-include` doesn't work with hidden files e.g. `--reload-include .env` HOT 1
- ContextVars pollution when uvicorn installed without [standard] extensions HOT 2
- asyncio.exceptions.CancelledError with asyncio HOT 4
- Error: [WinError 10054] An existing connection was forcibly closed by the remote host
- WebSockets and --max-requests does not reload Workers HOT 5
- uvicorn may respond to requests sent after the client asks for the connection to be closed HOT 11
- Django, uvicorn, gunicorn inside docker HOT 1
- await request.is_disconnected() brings up large ClientDisconnected error in Uvicorn v0.28.0 HOT 7
- WebSocket does not complete coroutine after disconnection HOT 2
- The service process always interrupts abnormally after certain requests
- Child Processes Not Terminating with Uvicorn 0.29.0 HOT 7
- Requirement typo? typing_extensions>=4.0 HOT 1
- Unexcepted behavior while reloading HOT 13
- https://uvicorn.org/ should redirect to https://www.uvicorn.org/ HOT 1
- Unable to get the transport ssl context from the request. This prevents checking the Client provided certificate and matching up the provided CN against allowed users/server.
- Should server shutdown after receiving "lifespan.shutdown.failed"? HOT 6
- `uvicorn.run` `env_file` Not Passed Correctly
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from uvicorn.