Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use request.protocol to check for HTTPS #282

Merged
merged 1 commit into from
Mar 21, 2024
Merged

fix: use request.protocol to check for HTTPS #282

merged 1 commit into from
Mar 21, 2024

Conversation

mohd-akram
Copy link
Contributor

The header shouldn't be read unless trustProxy is true.

Checklist

gurgunday
gurgunday reviewed Mar 21, 2024
View reviewed changes
Copy link
Member

@gurgunday gurgunday left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a problem with trusting the header here? We'd at worst be sending secure=true, and if that's not really the case, the browser would ignore it

But I agree with you in principle that proxies should not be trusted when trustProxy is disabled

@fastify/plugins is this breaking?

mcollina
mcollina approved these changes Mar 21, 2024
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina
Copy link
Member

I don't think so.

@gurgunday gurgunday merged commit cb3346f into fastify:master Mar 21, 2024
19 checks passed
@mohd-akram mohd-akram deleted the fix-protocol-check branch March 21, 2024 15:26
@climba03003
Copy link
Member

climba03003 commented Mar 21, 2024
edited
Loading

I don't think always sent secure cookies to the client that pretend to be https is a wrong idea.

Even if the next hop is not a trust proxy, sending secure cookies should not harm. Secure cookies will not set when the end client (broswer) is using http.

@gurgunday
Copy link
Member

gurgunday commented Mar 21, 2024
edited
Loading

That was what I thought... but the reason I approved anyway is trustProxy wasn't respected at the end of the day...

I could accept the following:

if (opts.secure === 'auto') {
    if (reply.request.protocol === 'https' || (fastify.trustProxy === true && request.headers['x-forwarded-proto'] === 'https')) {
      opts.secure = true
    } else {
      opts.sameSite = 'lax'
    }
}

However, should be noted that x-forwarded-proto is not the standard, Forwarded is

@mohd-akram
Copy link
Contributor Author

fastify.trustProxy === true && request.headers['x-forwarded-proto'] === 'https')

This is the same as reply.request.protocol === 'https' AFAICT since it check trustProxy and uses the header if it's available.

@ivstiv ivstiv mentioned this pull request Jul 6, 2024
Merged
This was referenced Aug 21, 2024
Open
Open
Open
Open
@WesleyR10 WesleyR10 mentioned this pull request Sep 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcollina mcollina mcollina approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

@gurgunday gurgunday gurgunday approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mohd-akram @mcollina @climba03003 @gurgunday @marco-ippolito