Remove headers set by a trusted proxy from outputs

2025-07-04 09:19:25 +00:00 · 2022-05-02 18:00:36 +02:00
parent 7c70abf07f
commit 1ee7256506
7 changed files with 38 additions and 18 deletions
--- a/router/headers.go
+++ b/router/headers.go
@ -10,15 +10,17 @@ import (
 )

 func getHeadersAsSortedString(ctx *gin.Context) {
-	h := ctx.Request.Header
-	h["Host"] = []string{ctx.Request.Host}
+	h := httputils.GetHeadersWithoutTrustedHeaders(ctx)
+	h.Set("Host", ctx.Request.Host)

 	ctx.String(http.StatusOK, httputils.HeadersToSortedString(h))
 }

 func getHeaderAsString(ctx *gin.Context) {
+	headers := httputils.GetHeadersWithoutTrustedHeaders(ctx)
+
 	h := ctx.Params.ByName("header")
-	if v := ctx.GetHeader(h); v != "" {
+	if v := headers.Get(ctx.Params.ByName("header")); v != "" {
 		ctx.String(http.StatusOK, template.HTMLEscapeString(v))
 	} else if strings.ToLower(h) == "host" {
 		ctx.String(http.StatusOK, template.HTMLEscapeString(ctx.Request.Host))