Enhance redirect plugin to allow for trusted hosts #55
Assignees
Labels
Comments
|
PRs are welcome! |
caseyhadden
pushed a commit
to caseyhadden/gentleman
that referenced
this issue
Aug 3, 2020
In order to avoid leaking sensitive information, the redirect plugin does not forward sensitive headers unless the opts.Trusted field is true. This commit adds an additional capability to also provide a list of trusted host suffixes. The opts.Trusted value will override any suffix list. Suffixes are not perfect and care should be given to choose a value appropriate for the given environment. For example, a 'trusted.com' suffix will match a host that was 'untrusted.com.' A leading '.' can be used to avoid this, e.g. '.trusted.com.'
h2non
added a commit
that referenced
this issue
Aug 4, 2020
fix(#55): allow trusted hosts on redirect
|
It looks like this issue can be closed due to #56 being merged. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We're using the gentleman client to make calls to 1st party services that can result in redirects. Initially, we were using the 'Trusted' field of the plugin to ensure that any headers were forwarded. For security purposes, we wanted to add a capability and limit header forwarding to only our 1st party services so any potential redirection to a 3rd party service wouldn't end up exposing sensitive information. In order to accomplish this, we created a fork of the redirect plugin that includes a field for a list of trusted host suffixes before doing the header copying.
It would be great to have that feature as part of the upstream gentleman, and I'd be happy to put together a PR for it if there is interest. But I wanted to open an issue and check on feasibility before just dropping a PR on your doorstep.
Thanks!
The text was updated successfully, but these errors were encountered: