tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: HTTP connector to be aware of proxied SSL requests
Date Fri, 18 Jun 2010 12:59:29 GMT
On 18/06/2010 00:36, Matthew Peterson wrote:
> Out of interest, what are some of the security risks around non-trusted proxies injecting
the x-forwarded-* headers?

Mainly an issue if you use the RemoteAddressValve or a similar mechanism
to secure your webapp based on client IP address. If an untrusted proxy
can change the apparent IP address, they can bypass your security.

For https/http I'd be worried about untrusted proxies making Tomcat
think a requert was received over https was actually insecure. That will
change how Tomcat handles session IDs etc and could maybe (I haven't
thought this through) lead to the session ID being exposed over http
when it should only be sent over hhttps.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message