Skip to content

fix(@angular/ssr): introduce trustProxyHeaders option to safely validate and sanitize proxy headers#33031

Open
alan-agius4 wants to merge 1 commit intoangular:21.2.xfrom
alan-agius4:x-forward-prefix-validation-patch
Open

fix(@angular/ssr): introduce trustProxyHeaders option to safely validate and sanitize proxy headers#33031
alan-agius4 wants to merge 1 commit intoangular:21.2.xfrom
alan-agius4:x-forward-prefix-validation-patch

Conversation

@alan-agius4
Copy link
Copy Markdown
Collaborator

@alan-agius4 alan-agius4 commented Apr 22, 2026


This commit adds the trustProxyHeaders option to AngularAppEngineOptions and AngularNodeAppEngineOptions to configure, validate, and sanitize X-Forwarded-* headers.

  • When trustProxyHeaders is undefined (default):
    • Allows X-Forwarded-Host and X-Forwarded-Proto.
    • Intercepts X-Forwarded-Prefix and triggers a dynamic CSR deoptimization to skip SSR if present.
    • Logs an informative message when receiving any other X-Forwarded-* headers.
  • When false:
    • Ignores and strips all proxy headers from the request.
  • When true:
    • Trusts all proxy headers.
  • When a string array:
    • Allows only the proxy headers provided inside the array.

Example:

const engine = new AngularAppEngine({
  // Allow all proxy headers
  trustProxyHeaders: true,
});

// Or explicitly allow specific headers:
const engine = new AngularAppEngine({
  trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-prefix'],
});

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces the trustProxyHeaders configuration to AngularAppEngine, allowing for explicit control over which X-Forwarded-* headers are trusted during SSR. It replaces the previous header-patching approach with a more efficient sanitization process and adds a mechanism to deoptimize to CSR when certain proxy headers are present but untrusted. Review feedback suggests that the new VALID_PREFIX_REGEX is overly restrictive regarding dots in path segments and that the warning for unconfigured proxy headers should be adjusted to reduce log noise for default allowed headers.

Comment thread packages/angular/ssr/src/utils/validation.ts
Comment thread packages/angular/ssr/src/utils/validation.ts
@alan-agius4
fix(@angular/ssr): introduce trustProxyHeaders option to safely valid…
e769eae 
…ate and sanitize proxy headers

This commit adds the `trustProxyHeaders` option to `AngularAppEngineOptions` and `AngularNodeAppEngineOptions` to configure, validate, and sanitize `X-Forwarded-*` headers.
- When `trustProxyHeaders` is `undefined` (default):
  - Allows `X-Forwarded-Host` and `X-Forwarded-Proto`.
  - Intercepts `X-Forwarded-Prefix` and triggers a dynamic CSR deoptimization to skip SSR if present.
  - Logs an informative message when receiving any other `X-Forwarded-*` headers.
- When `false`:
  - Ignores and strips all proxy headers from the request.
- When `true`:
  - Trusts all proxy headers.
- When a string array:
  - Allows only the proxy headers provided inside the array.

Example:
```ts
const engine = new AngularAppEngine({
  // Allow all proxy headers
  trustProxyHeaders: true,
});

// Or explicitly allow specific headers:
const engine = new AngularAppEngine({
  trustProxyHeaders: ['x-forwarded-host', 'x-forwarded-prefix'],
});
```
@alan-agius4 alan-agius4 force-pushed the x-forward-prefix-validation-patch branch from d22ebae to e769eae Compare April 22, 2026 08:03
@alan-agius4 alan-agius4 added the action: review The PR is still awaiting reviews from at least one requested reviewer label Apr 22, 2026
@alan-agius4 alan-agius4 requested a review from dgp1130 April 22, 2026 09:29
@alan-agius4 alan-agius4 added the target: patch This PR is targeted for the next patch release label Apr 22, 2026
dgp1130
dgp1130 approved these changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@dgp1130 dgp1130 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General comments from #32911 mostly apply, but no major concerns other than the abusability of X-Angular-Depot-Csr.

Comment thread packages/angular/ssr/node/src/request.ts
if (trustProxyHeaders === undefined) {
const lower = headerName.toLowerCase();

return lower === 'x-forwarded-host' || lower === 'x-forwarded-proto';
Copy link
Copy Markdown
Collaborator

@dgp1130 dgp1130 Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider: Regarding the question of whether or not we care about other X-Forwarded-* headers, should we do lower !== 'x-forwarded-proxy' instead?

Comment thread packages/angular/ssr/src/utils/validation.ts
}

if (trustProxyHeaders === undefined) {
if (lowerKey === 'x-forwarded-host' || lowerKey === 'x-forwarded-proto') {
Copy link
Copy Markdown
Collaborator

@dgp1130 dgp1130 Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider: Could we simplify this along the lines of getAllowedProxyHeaderValue like the other PR, but return string | undefined | false with false indicating deopt? Something along those lines?

Comment thread packages/angular/ssr/src/utils/validation.ts
};
if (trustProxyHeaders === undefined && receivedXForwarded) {
// eslint-disable-next-line no-console
console.warn('Received "X-Forwarded-*" headers but "trustProxyHeaders" was not configured.');
Copy link
Copy Markdown
Collaborator

@dgp1130 dgp1130 Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Can we provide any more context here? We should at least state that we ignored the header, otherwise it's not clear why we're logging this at all and potentially link to angular.dev if/when we have content there.

Comment thread packages/angular/ssr/src/app.ts
const { redirectTo, status, renderMode, headers } = matchedRoute;
const { redirectTo, status, renderMode, headers, preload } = matchedRoute;

if (request.headers.get('x-angular-deopt-csr') === 'true') {
Copy link
Copy Markdown
Collaborator

@dgp1130 dgp1130 Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: This means someone could curl http://example.test/ -H "X-Angular-Deopt-Csr: true" and force the server to return the CSR bundle, which might normally not be allowed. Could that potentially be a separate cache poisoning issue?

Comment thread packages/angular/ssr/src/app.ts
const { redirectTo, status, renderMode, headers } = matchedRoute;
const { redirectTo, status, renderMode, headers, preload } = matchedRoute;

if (request.headers.get('x-angular-deopt-csr') === 'true') {
Copy link
Copy Markdown
Collaborator

@dgp1130 dgp1130 Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: Is this covering both the Node and web standard request use cases? Do we need to check this in two places like the other PR does?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgp1130 dgp1130 dgp1130 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: review The PR is still awaiting reviews from at least one requested reviewer area: @angular/ssr target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alan-agius4 @dgp1130