Add explicit blocked headers list for security
- Define blockedHeaders map for headers that should never be forwarded - Include Referer, Cookie, X-Forwarded-* headers - Prevents leaking internal URLs, session data, and client IPs to upstream - Defensive measure even though no headers are currently copied
This commit is contained in:
Franz Kafka
parent
8450d96e2e
commit
f284f8dbde
2 changed files with 12 additions and 0 deletions
12
handler.go
12
handler.go
|
|
@ -21,6 +21,18 @@ type Config struct {
|
|||
|
||||
var config *Config
|
||||
|
||||
// blockedHeaders are headers that should never be forwarded to upstream
|
||||
// for security/privacy reasons. These headers could leak internal URLs,
|
||||
// session information, or other sensitive data.
|
||||
var blockedHeaders = map[string]bool{
|
||||
"Referer": true, // Don't leak internal URLs to external API
|
||||
"Cookie": true, // Don't forward session cookies
|
||||
"Authorization": true, // Already extracted and sent as x-api-key
|
||||
"X-Forwarded-For": true, // Don't leak client IP
|
||||
"X-Real-Ip": true, // Don't leak client IP
|
||||
"X-Forwarded-Host": true, // Don't leak internal hostnames
|
||||
}
|
||||
|
||||
// ClaudeCodeHeaders returns the headers to mimic claude-code CLI
|
||||
func ClaudeCodeHeaders(apiKey, sessionID string) map[string]string {
|
||||
return map[string]string{
|
||||
|
|
|
|||
BIN
proxx
BIN
proxx
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue