Nick Meves abeb0236d8 Strip X-Forwarded auth headers from whitelisted paths (#624) ... * Strip X-Forwarded auth headers from whitelisted paths For any paths that match skip-auth-regex, strip normal X-Forwarded headers that would be sent based on pass-user-headers or pass-access-token settings. This prevents malicious injecting of authentication headers through the skip-auth-regex paths in cases where the regex might be misconfigured and too open. Control this behavior with --skip-auth-strip-headers flag. This flag is set to TRUE by default (this is secure by default, but potentially breaks some legacy configurations). Only x-Forwarded headers stripped, left the Authorization header untouched. * Strip authorization header if it would be set * Improve TestStripAuthHeaders test table * Improve --skip-auth-strip-headers flag documentation		2020-07-14 23:46:44 +01:00
..
apis	Strip X-Forwarded auth headers from whitelisted paths (#624)	2020-07-14 23:46:44 +01:00
cookies	Rename CookieOptions to Cookie	2020-07-05 09:18:21 +01:00
encryption	Reduce SessionState size better with MessagePack + LZ4 (#632)	2020-07-13 20:56:05 +01:00
ip	Implements --trusted-ip option (#552)	2020-07-11 11:10:58 +01:00
logger	Implements --real-client-ip-header option. (#503)	2020-05-12 18:41:25 +01:00
middleware	Add req.host to targetURL when redirecting to https (#668)	2020-07-07 09:55:38 +01:00
requests	Add tests for request result	2020-07-06 20:37:36 +01:00
sessions	Add option to remove tokens from cookie sessions (#673)	2020-07-14 23:02:10 +01:00
upstream	Add tests for upstream package	2020-07-05 10:21:05 +01:00
util	Fix #635: Support specifying alternative provider TLS trust source(s) (#645)	2020-07-03 16:09:17 +01:00
validation	Add option to remove tokens from cookie sessions (#673)	2020-07-14 23:02:10 +01:00