From 1403603b05e1efa558af60d36b6025324369cbd2 Mon Sep 17 00:00:00 2001 From: Rossen Stoyanchev Date: Mon, 11 Nov 2019 11:44:44 +0000 Subject: [PATCH] Doc update for ForwardedHeaderFilter Closes gh-23954 --- src/docs/asciidoc/web/webmvc.adoc | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/docs/asciidoc/web/webmvc.adoc b/src/docs/asciidoc/web/webmvc.adoc index 7133ab1d7aa..375d5a4dfd0 100644 --- a/src/docs/asciidoc/web/webmvc.adoc +++ b/src/docs/asciidoc/web/webmvc.adoc @@ -1280,14 +1280,17 @@ that proxies can use to provide information about the original request. There ar non-standard headers, too, including `X-Forwarded-Host`, `X-Forwarded-Port`, `X-Forwarded-Proto`, `X-Forwarded-Ssl`, and `X-Forwarded-Prefix`. -`ForwardedHeaderFilter` is a Servlet filter that modifies the host, port, and scheme of -the request, based on `Forwarded` headers, and then removes those headers. +`ForwardedHeaderFilter` is a Servlet filter that modifies the request in order to +a) change the host, port, and scheme based on `Forwarded` headers, and b) to remove those +headers to eliminate further impact. The filter relies on wrapping the request, and +therefore it must be ordered ahead of other filters, such as `RequestContextFilter`, that +should work with the modified and not the original request. There are security considerations for forwarded headers since an application cannot know if the headers were added by a proxy, as intended, or by a malicious client. This is why -a proxy at the boundary of trust should be configured to remove untrusted `Forwarded` headers that come -from the outside. You can also configure the `ForwardedHeaderFilter` with -`removeOnly=true`, in which case it removes but does not use the headers. +a proxy at the boundary of trust should be configured to remove untrusted `Forwarded` +headers that come from the outside. You can also configure the `ForwardedHeaderFilter` +with `removeOnly=true`, in which case it removes but does not use the headers.