don't trust headers from external

2025-06-26 16:45:52 +00:00 · 2023-04-30 09:01:26 +02:00 · 2023-04-30 09:01:26 +02:00 · fadf281734
commit fadf281734
parent a3aa0ce7d9
1 changed files with 2 additions and 0 deletions
--- a/DOCUMENTATION.md
+++ b/DOCUMENTATION.md
@ -355,6 +355,7 @@ RewriteRule ^/radicale$ /radicale/ [R,L]
    ProxyPassReverse http://localhost:5232/
    RequestHeader    set X-Script-Name /radicale
    RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
+    RequestHeader    unset X-Forwarded-Proto
    <If "%{HTTPS} =~ /on/">
    RequestHeader    set X-Forwarded-Proto "https"
    </If>
@ -371,6 +372,7 @@ RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
 # Set to directory of .htaccess file:
 RequestHeader set X-Script-Name /radicale
 RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s"
+RequestHeader unset X-Forwarded-Proto
 <If "%{HTTPS} =~ /on/">
 RequestHeader set X-Forwarded-Proto "https"
 </If>