You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found an issue, when the server (API server) behinds a proxy server, the generated signatures are not equals. It's because the Escher::authenticate() method absolutely not care with the proxy headers.
Scenario:
The client sign the request with host: b.website.com, but this host is a proxy that redirects the request to a.website.com.
In this case the client uses the b.website.com host to signs the request, but the server uses the a.website.com host.
Proposal:
When getting the host from the request, first check if any X-Forwarded-* header are present and use this address as host.
The text was updated successfully, but these errors were encountered:
Hi,
I found an issue, when the server (API server) behinds a proxy server, the generated signatures are not equals. It's because the Escher::authenticate() method absolutely not care with the proxy headers.
Scenario:
The client sign the request with host: b.website.com, but this host is a proxy that redirects the request to a.website.com.
In this case the client uses the b.website.com host to signs the request, but the server uses the a.website.com host.
Proposal:
When getting the host from the request, first check if any X-Forwarded-* header are present and use this address as host.
The text was updated successfully, but these errors were encountered: