This rule is deprecated, and will eventually be removed.
When using reverse proxies, some configurations forward the client’s original IP address to the upstream server via HTTP headers such as
X-Forwarded-For.
IP addresses are personal information that can identify individual users.
When a reverse proxy is configured to forward the client IP address, this information is transmitted to the upstream server where it may be stored or
logged.
This rule raises an issue when a proxy is configured with xfwd: true, which enables forwarding of the client’s real IP address via
the X-Forwarded-For or Forwarded HTTP headers.
Forwarding the client IP address exposes user identity information to backend services and potentially to third parties. This can violate user privacy and may conflict with data minimization requirements under regulations such as GDPR.
var httpProxy = require('http-proxy');
httpProxy.createProxyServer({target:'http://localhost:9000', xfwd:true}) // Noncompliant
.listen(8000);
var httpProxy = require('http-proxy');
// By default xfwd option is false
httpProxy.createProxyServer({target:'http://localhost:9000'})
.listen(8000);
var express = require('express');
const { createProxyMiddleware } = require('http-proxy-middleware');
const app = express();
app.use('/proxy', createProxyMiddleware({ target: 'http://localhost:9000', changeOrigin: true, xfwd: true })); // Noncompliant
app.listen(3000);
var express = require('express');
const { createProxyMiddleware } = require('http-proxy-middleware');
const app = express();
// By default xfwd option is false
app.use('/proxy', createProxyMiddleware({ target: 'http://localhost:9000', changeOrigin: true}));
app.listen(3000);