DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Audit: Forwarding IP while setting proxies in the HTTP server JS-D018

Security
Major
 Autofix a02 owasp top 10

The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.

When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. The X-Forwarded-For request header is used to see the original IP address of the client.

If a server makes proxied connections, it is not a good idea to forward user IP addresses using HTTP headers such as X-Forwarded-For or Forwarded

X-Forwarded-For is used for debugging, statistics, and generating location-dependent content, and by design, it exposes privacy-sensitive information, such as the IP address of the client.

Therefore the user's privacy must be kept in mind when deploying this header.

Users often connect to web servers through HTTP proxies. A proxy can be configured to forward the client IP address via the X-Forwarded-For or Forwarded HTTP headers. IP addresses are personal information that can identify an individual user and thus impact their privacy.

We currently check for the following libraries

  • http-proxy
  • http-proxy-middleware

Bad Practice

// http-proxy
var httpProxy = require('http-proxy')
// unsafe
httpProxy.createProxyServer({ target: 'http://localhost:9000', xfwd: true }).listen(8000)

// http-proxy-middleware
var express = require('express')
const { createProxyMiddleware } = require('http-proxy-middleware')
const app = express()
app.use(
  '/proxy',
  createProxyMiddleware({
    target: 'http://localhost:9000',
    changeOrigin: true,
    xfwd: true // unsafe
  })
)
app.listen(3000)

Recommended

// http-proxy
var httpProxy = require('http-proxy')
// Compliant
httpProxy.createProxyServer({ target: 'http://localhost:9000', xfwd: false }).listen(8000)

// http-proxy-middleware
var express = require('express')
const { createProxyMiddleware } = require('http-proxy-middleware')
const app = express()
app.use(
  '/proxy',
  createProxyMiddleware({
    target: 'http://localhost:9000',
    changeOrigin: true,
    xfwd: false // Compliant
  })
)
app.listen(3000)

References