Fix Location header to respect X-Forwarded-Proto and X-Forwarded-Host headers (#3095)

Copilot · JerryNixon · anushakolan · web-flow · commit 041a722d9b1c · 2026-03-12T23:11:58.000Z
## Why make this change? POST to stored procedure/entity endpoints returns Location header with `http://` scheme even when original request is HTTPS. This occurs behind reverse proxies (Azure API Management, Container Apps) where internal traffic uses HTTP but the `X-Forwarded-Proto: https` header is set. ## What is this change? Reuses existing `SqlPaginationUtil.ResolveRequestScheme` and `ResolveRequestHost` helpers (already used for pagination `nextLink`) in mutation handlers: - **SqlPaginationUtil.cs**: Changed `private` → `internal` for `ResolveRequestScheme`, `ResolveRequestHost`, `IsValidScheme`, `IsValidHost` - **SqlMutationEngine.cs**: Use forwarded headers for stored procedure Location header - **SqlResponseHelpers.cs**: Use forwarded headers for entity Location header Before: ``` POST https://my-app.azurecontainerapps.io/rest/SessionVote → Location: http://my-app.azurecontainerapps.io/rest/SessionVote ❌ ``` After: ``` POST https://my-app.azurecontainerapps.io/rest/SessionVote → Location: https://my-app.azurecontainerapps.io/rest/SessionVote ✓ ``` ## How was this tested? - [ ] Integration Tests - [ ] Unit Tests Existing validation logic from pagination already handles header validation (scheme must be `http`/`https`, host validated for dangerous characters). ## Sample Request(s) ```http POST /rest/MyStoredProcedure HTTP/1.1 Host: my-proxy.azure-api.net X-Forwarded-Proto: https X-Forwarded-Host: my-app.azurecontainerapps.io Content-Type: application/json {"param1": "value"} ``` Response now correctly includes: ``` HTTP/1.1 201 Created Location: https://my-app.azurecontainerapps.io/rest/MyStoredProcedure ```  <details> <summary>Original prompt</summary> ---- *This section details on the original issue you should resolve* <issue_title>[Bug]: POST to rest endpoint on https for stored proc returns a location header with insecure http scheme</issue_title> <issue_description>### What happened? A bug happened! Posting to a stored procedure endpoint returns a location header that doesn't match the request incoming scheme. This results in errors on clients that don't allow insecure redirects. The returned scheme should match the incoming scheme ``` POST https://<url>-api-stgwe.yellowfield-2df9f307.westeurope.azurecontainerapps.io/rest/SessionVote 201 259 ms POST /dataapi-stg/rest/SessionVote HTTP/1.1 Content-Type: application/json Authorization: Bearer User-Agent: PostmanRuntime/7.51.0 Accept: */* Cache-Control: no-cache Postman-Token: a2fadac6-067d-4a0b-8a5f-ba3b90d46ee8 Host: apim-sqlbits-api-management.azure-api.net Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Length: 65 Cookie: acaAffinity="6ea9edfe43f98424" {"SessionId":1232131, "Email":"simon@asdsa.com", "Vote":true } HTTP/1.1 201 Created Content-Type: application/json; charset=utf-8 Date: Mon, 22 Dec 2025 16:32:18 GMT Cache-Control: private Location: http://<url>-api-stgwe.yellowfield-2df9f307.westeurope.azurecontainerapps.io/rest/SessionVote Transfer-Encoding: chunked Strict-Transport-Security: max-age=31536000; includeSubDomains x-ms-middleware-request-id: 42421e73-1ba6-496f-8dd7-88beee5a0489 x-ms-correlation-id: 5f147408-1cb2-40e9-b406-7dcac4fae555 Request-Context: appId=cid-v1:2845ea60-a09f-4c5c-9500-47f887b00b3a {"value":[{"SessionId":123131},{"SessionId":1231231},{"SessionId":1232131}]} ``` ### Version 1.6.84 ### What database are you using? Azure SQL ### What hosting model are you using? Container Apps ### Which API approach are you accessing DAB through? REST ### Relevant log output ```Text ``` ### Code of Conduct - [x] I agree to follow this project's Code of Conduct</issue_description> <agent_instructions>Resolve this bug with as little code change as possible.</agent_instructions> ## Comments on the Issue (you are @copilot in this section) <comments> <comment_new><author>@JerryNixon</author><body> ## Root Cause The issue is in how DAB constructs the `Location` header for stored procedure POST requests. When building the location header URL, **DAB is not properly respecting the incoming request's HTTPS scheme when behind a reverse proxy**. ### The Problem Code Looking at `SqlMutationEngine.cs` for stored procedure handling: ```csharp name=src/Core/Resolvers/SqlMutationEngine.cs url=https://github.com/Azure/data-api-builder/blob/b11ab1a812d404ae8f176bc0cc4e483eac640133/src/Core/Resolvers/SqlMutationEngine.cs#L396-L404 HttpContext httpContext = GetHttpContext(); string locationHeaderURL = UriHelper.BuildAbsolute( scheme: httpContext.Request.Scheme, host: httpContext.Request.Host, pathBase: GetBaseRouteFromConfig(_runtimeConfigProvider.GetConfig()), path: httpContext.Request.Path); ``` The problem is that **`httpContext.Request.Scheme` returns the scheme of the connection between the reverse proxy (Azure API Management) and the container app (HTTP), not the original client request scheme (HTTPS)**. ### Why Regular Entity Inserts Work Better Interestingly, for regular table/view POST operations, DAB uses `SqlResponseHelpers.ConstructCreatedResultResponse()`, which has the same issue: ```csharp name=src/Core/Resolvers/SqlResponseHelpers.cs url=https://github.com/Azure/data-api-builder/blob/b11ab1a812d404ae8f176bc0cc4e483eac640133/src/Core/Resolvers/SqlResponseHelpers.cs#L380-L391 locationHeaderURL = UriHelper.BuildAbsolute( scheme: httpContext.Request.Scheme, host: httpContext.Request.Host, pathBase: baseRoute, path: httpContext.Request.Path); ``` ### The Solution That Exists for Pagination DAB **already has the correct implementation** for handling forwarded headers in the pagination utility (`SqlPaginationUtil.cs`): ```csharp name=src/Core/Resolvers/SqlPaginationUtil.cs url=https://github.com/Azure/data-api-builder/blob/b11ab1a812d404ae8f176bc0cc4e483eac640133/src/Core/Resolvers/SqlPaginationUtil.cs#L590-L603 public static string ConstructBaseUriForPagination(HttpContext httpContext, string? baseRoute = null) { HttpRequest req = httpContext.Request; // use scheme from X-Forwarded-Proto or fallback to request scheme string scheme = ResolveRequestScheme(req); // Use host from X-Forwarded-Host or fallback to request host string host = ResolveRequestHost(req); return UriHelper.BuildAbsolute( scheme: scheme, host: new HostString(host), ... ``` The helper methods check for `X-Forwarded-Proto` and `X-Forwarded-Host` headers: ```csharp name=src/Core/Resolvers/SqlPaginationUtil.cs url=https://github.com/Azure/data-api-builder/blob/b11ab1a812d404ae8f176bc0cc4e483eac640133/src/Cor... </details>  - Fixes #3032  --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: JerryNixon <1749983+JerryNixon@users.noreply.github.com> Co-authored-by: Anusha Kolan <anushakolan10@gmail.com>
diff --git a/src/Core/Resolvers/SqlMutationEngine.cs b/src/Core/Resolvers/SqlMutationEngine.cs
@@ -397,9 +397,12 @@ await queryExecutor.ExecuteQueryAsync(
                 case EntityActionOperation.Insert:
 
                     HttpContext httpContext = GetHttpContext();
+                    // Use scheme/host from X-Forwarded-* headers if present, else fallback to request values
+                    string scheme = SqlPaginationUtil.ResolveRequestScheme(httpContext.Request);
+                    string host = SqlPaginationUtil.ResolveRequestHost(httpContext.Request);
                     string locationHeaderURL = UriHelper.BuildAbsolute(
-                            scheme: httpContext.Request.Scheme,
-                            host: httpContext.Request.Host,
+                            scheme: scheme,
+                            host: new HostString(host),
                             pathBase: GetBaseRouteFromConfig(_runtimeConfigProvider.GetConfig()),
                             path: httpContext.Request.Path);
 
diff --git a/src/Core/Resolvers/SqlPaginationUtil.cs b/src/Core/Resolvers/SqlPaginationUtil.cs
@@ -751,12 +751,12 @@ public static string FormatQueryString(NameValueCollection? queryStringParameter
         }
 
         /// <summary>
-        /// Extracts and request scheme from "X-Forwarded-Proto" or falls back to the request scheme.
+        /// Extracts the request scheme from "X-Forwarded-Proto" or falls back to the request scheme.
+        /// Invalid forwarded values are ignored.
         /// </summary>
         /// <param name="req">The HTTP request.</param>
         /// <returns>The scheme string ("http" or "https").</returns>
-        /// <exception cref="DataApiBuilderException">Thrown when client explicitly sets an invalid scheme.</exception>
-        private static string ResolveRequestScheme(HttpRequest req)
+        internal static string ResolveRequestScheme(HttpRequest req)
         {
             string? rawScheme = req.Headers["X-Forwarded-Proto"].FirstOrDefault();
             string? normalized = rawScheme?.Trim().ToLowerInvariant();
@@ -776,11 +776,11 @@ private static string ResolveRequestScheme(HttpRequest req)
 
         /// <summary>
         /// Extracts the request host from "X-Forwarded-Host" or falls back to the request host.
+        /// Invalid forwarded values are ignored.
         /// </summary>
         /// <param name="req">The HTTP request.</param>
         /// <returns>The host string.</returns>
-        /// <exception cref="DataApiBuilderException">Thrown when client explicitly sets an invalid host.</exception>
-        private static string ResolveRequestHost(HttpRequest req)
+        internal static string ResolveRequestHost(HttpRequest req)
         {
             string? rawHost = req.Headers["X-Forwarded-Host"].FirstOrDefault();
             string? trimmed = rawHost?.Trim();
diff --git a/src/Core/Resolvers/SqlResponseHelpers.cs b/src/Core/Resolvers/SqlResponseHelpers.cs
@@ -381,9 +381,12 @@ HttpContext httpContext
             // The third part is the computed primary key route.
             if (operationType is EntityActionOperation.Insert && !string.IsNullOrEmpty(primaryKeyRoute))
             {
+                // Use scheme/host from X-Forwarded-* headers if present, else fallback to request values
+                string scheme = SqlPaginationUtil.ResolveRequestScheme(httpContext.Request);
+                string host = SqlPaginationUtil.ResolveRequestHost(httpContext.Request);
                 locationHeaderURL = UriHelper.BuildAbsolute(
-                                        scheme: httpContext.Request.Scheme,
-                                        host: httpContext.Request.Host,
+                                        scheme: scheme,
+                                        host: new HostString(host),
                                         pathBase: baseRoute,
                                         path: httpContext.Request.Path);
 
diff --git a/src/Service.Tests/Configuration/ConfigurationTests.cs b/src/Service.Tests/Configuration/ConfigurationTests.cs
@@ -40,7 +40,10 @@
 using Azure.DataApiBuilder.Service.Tests.SqlTests;
 using HotChocolate;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Hosting.Server.Features;
 using Microsoft.AspNetCore.TestHost;
+using Microsoft.Data.SqlClient;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.IdentityModel.Tokens;
@@ -3448,6 +3451,133 @@ public async Task ValidateLocationHeaderWhenBaseRouteIsConfigured(
             }
         }
 
+        /// <summary>
+        /// Validates that the Location header returned for POST requests respects X-Forwarded-Host and X-Forwarded-Proto.
+        /// This covers both table and stored procedure insert endpoints.
+        /// </summary>
+        /// <param name="entityType">Type of entity under test.</param>
+        /// <param name="requestPath">REST endpoint path for POST request.</param>
+        /// <param name="forwardedHost">Value for X-Forwarded-Host header.</param>
+        /// <param name="forwardedProto">Value for X-Forwarded-Proto header.</param>
+        /// <param name="expectedScheme">Expected scheme in Location header.</param>
+        [DataTestMethod]
+        [TestCategory(TestCategory.MSSQL)]
+        [DataRow(EntitySourceType.Table, "/api/Book", null, null, "http", DisplayName = "Location header uses local http scheme when no forwarded headers are present for table POST")]
+        [DataRow(EntitySourceType.StoredProcedure, "/api/GetBooks", null, null, "http", DisplayName = "Location header uses local http scheme when no forwarded headers are present for stored procedure POST")]
+        [DataRow(EntitySourceType.Table, "/api/Book", "api.contoso.com", "http", "http", DisplayName = "Location header uses forwarded http scheme for table POST")]
+        [DataRow(EntitySourceType.StoredProcedure, "/api/GetBooks", "api.contoso.com", "http", "http", DisplayName = "Location header uses forwarded http scheme for stored procedure POST")]
+        [DataRow(EntitySourceType.Table, "/api/Book", "api.contoso.com", "https", "https", DisplayName = "Location header uses forwarded https scheme/host for table POST")]
+        [DataRow(EntitySourceType.StoredProcedure, "/api/GetBooks", "api.contoso.com", "https", "https", DisplayName = "Location header uses forwarded https scheme/host for stored procedure POST")]
+        public async Task ValidateLocationHeaderRespectsXForwardedHostAndProto(
+            EntitySourceType entityType,
+            string requestPath,
+            string forwardedHost,
+            string forwardedProto,
+            string expectedScheme)
+        {
+            TestHelper.SetupDatabaseEnvironment(MSSQL_ENVIRONMENT);
+
+            GraphQLRuntimeOptions graphqlOptions = new(Enabled: false);
+            RestRuntimeOptions restRuntimeOptions = new(Enabled: true);
+            McpRuntimeOptions mcpRuntimeOptions = new(Enabled: false);
+
+            SqlConnectionStringBuilder connectionStringBuilder = new(GetConnectionStringFromEnvironmentConfig(environment: TestCategory.MSSQL))
+            {
+                TrustServerCertificate = true
+            };
+
+            DataSource dataSource = new(DatabaseType.MSSQL,
+                connectionStringBuilder.ConnectionString, Options: null);
+
+            RuntimeConfig configuration;
+            if (entityType is EntitySourceType.StoredProcedure)
+            {
+                Entity entity = new(Source: new("get_books", EntitySourceType.StoredProcedure, null, null),
+                              Fields: null,
+                              Rest: new(new SupportedHttpVerb[] { SupportedHttpVerb.Get, SupportedHttpVerb.Post }),
+                              GraphQL: null,
+                              Permissions: new[] { GetMinimalPermissionConfig(AuthorizationResolver.ROLE_ANONYMOUS) },
+                              Relationships: null,
+                              Mappings: null
+                             );
+
+                configuration = InitMinimalRuntimeConfig(dataSource, graphqlOptions, restRuntimeOptions, mcpRuntimeOptions, entity, entityName: "GetBooks");
+            }
+            else
+            {
+                configuration = InitMinimalRuntimeConfig(dataSource, graphqlOptions, restRuntimeOptions, mcpRuntimeOptions);
+            }
+
+            const string CUSTOM_CONFIG = "custom-config.json";
+            File.WriteAllText(CUSTOM_CONFIG, configuration.ToJson());
+            string[] args = new[] { $"--ConfigFileName={CUSTOM_CONFIG}" };
+
+            // Intentionally bind HTTP to simulate the proxy-to-app internal hop.
+            using IWebHost host = Program.CreateWebHostBuilder(args)
+                .UseUrls("http://127.0.0.1:0")
+                .Build();
+            await host.StartAsync();
+
+            IServerAddressesFeature addresses = host.ServerFeatures.Get<IServerAddressesFeature>();
+            Assert.IsNotNull(addresses);
+
+            string baseAddress = addresses.Addresses.FirstOrDefault();
+            Assert.IsFalse(string.IsNullOrEmpty(baseAddress));
+
+            using HttpClient client = new()
+            {
+                BaseAddress = new Uri(baseAddress)
+            };
+
+            HttpRequestMessage request = new(HttpMethod.Post, requestPath);
+            if (!string.IsNullOrEmpty(forwardedHost))
+            {
+                request.Headers.Add("X-Forwarded-Host", forwardedHost);
+            }
+
+            if (!string.IsNullOrEmpty(forwardedProto))
+            {
+                request.Headers.Add("X-Forwarded-Proto", forwardedProto);
+            }
+
+            if (entityType is EntitySourceType.Table)
+            {
+                JsonElement requestBodyElement = JsonDocument.Parse(@"{
+                    ""title"": ""Forwarded Header Location Test"",
+                    ""publisher_id"": 1234
+                }").RootElement.Clone();
+
+                request.Content = JsonContent.Create(requestBodyElement);
+            }
+
+            HttpResponseMessage response = await client.SendAsync(request);
+
+            Assert.AreEqual(HttpStatusCode.Created, response.StatusCode);
+            Assert.IsNotNull(response.Headers.Location, "Location header should be present for successful POST create.");
+
+            Uri location = response.Headers.Location;
+            Assert.AreEqual(expectedScheme, location.Scheme, $"Expected Location scheme '{expectedScheme}', got '{location.Scheme}'.");
+
+            if (!string.IsNullOrEmpty(forwardedHost))
+            {
+                Assert.AreEqual(forwardedHost, location.Host, $"Expected Location host '{forwardedHost}', got '{location.Host}'.");
+            }
+
+            // Since forwarded host is external, validate follow-up using local path only.
+            string localPathAndQuery = string.IsNullOrEmpty(location.Query) ? location.AbsolutePath : location.AbsolutePath + location.Query;
+            HttpRequestMessage followUpRequest = new(HttpMethod.Get, localPathAndQuery);
+            HttpResponseMessage followUpResponse = await client.SendAsync(followUpRequest);
+            Assert.AreEqual(HttpStatusCode.OK, followUpResponse.StatusCode);
+
+            if (entityType is EntitySourceType.Table)
+            {
+                HttpRequestMessage cleanupRequest = new(HttpMethod.Delete, localPathAndQuery);
+                await client.SendAsync(cleanupRequest);
+            }
+
+            await host.StopAsync();
+        }
+
         /// <summary>
         /// Test to validate that when the property rest.request-body-strict is absent from the rest runtime section in config file, DAB runs in strict mode.
         /// In strict mode, presence of extra fields in the request body is not permitted and leads to HTTP 400 - BadRequest error.
