This rule is deprecated, and will eventually be removed.

When using reverse proxies, some configurations forward the client’s original IP address to the upstream server via HTTP headers such as X-Forwarded-For.

Why is this an issue?

IP addresses are personal information that can identify individual users. When a reverse proxy is configured to forward the client IP address, this information is transmitted to the upstream server where it may be stored or logged. This rule raises an issue when a proxy is configured with xfwd: true, which enables forwarding of the client’s real IP address via the X-Forwarded-For or Forwarded HTTP headers.

What is the potential impact?

Privacy violation

Forwarding the client IP address exposes user identity information to backend services and potentially to third parties. This can violate user privacy and may conflict with data minimization requirements under regulations such as GDPR.

How to fix it in node-http-proxy

Code examples

Noncompliant code example

var httpProxy = require('http-proxy');

httpProxy.createProxyServer({target:'http://localhost:9000', xfwd:true}) // Noncompliant
  .listen(8000);

Compliant solution

var httpProxy = require('http-proxy');

// By default xfwd option is false
httpProxy.createProxyServer({target:'http://localhost:9000'})
  .listen(8000);

How to fix it in http-proxy-middleware

Code examples

Noncompliant code example

var express = require('express');

const { createProxyMiddleware } = require('http-proxy-middleware');

const app = express();

app.use('/proxy', createProxyMiddleware({ target: 'http://localhost:9000', changeOrigin: true, xfwd: true })); // Noncompliant
app.listen(3000);

Compliant solution

var express = require('express');

const { createProxyMiddleware } = require('http-proxy-middleware');

const app = express();

// By default xfwd option is false
app.use('/proxy', createProxyMiddleware({ target: 'http://localhost:9000', changeOrigin: true}));
app.listen(3000);

Resources

Documentation

Standards