Skip to content

fix(middleware): do not append duplicate x-forwarded-* header values#120

Merged
pi0 merged 1 commit intomainfrom
fix/xheader-duplicates
Mar 25, 2026
Merged

fix(middleware): do not append duplicate x-forwarded-* header values#120
pi0 merged 1 commit intomainfrom
fix/xheader-duplicates

Conversation

@pi0
Copy link
Copy Markdown
Member

@pi0 pi0 commented Mar 25, 2026

Summary

  • Preserve existing x-forwarded-for, x-forwarded-port, and x-forwarded-proto headers instead of appending proxy-computed values
  • Fix applies to both HTTP (web-incoming.ts) and WebSocket (ws-incoming.ts) middleware
  • When a request already carries these headers from a downstream proxy, the old code concatenated them (e.g. "10.0.0.1,192.168.1.2") causing incorrect multi-hop attribution

Upstream: http-party/node-http-proxy#1581

Test plan

  • Added regression tests for both web-incoming and ws-incoming XHeaders passes
  • Tests confirmed to fail before the fix and pass after
  • Full test suite passes with no new regressions

@pi0
fix(middleware): do not append duplicate x-forwarded-* header values
289e90a 
Preserve existing x-forwarded-* headers instead of appending proxy
values. When a request already carries these headers from a downstream
proxy, the old code would concatenate them (e.g. "10.0.0.1,192.168.1.2")
causing incorrect multi-hop attribution. Now the headers are only set
when absent, matching expected reverse-proxy behavior.

Upstream: http-party/node-http-proxy#1581
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Mar 25, 2026

Warning

Rate limit exceeded

@pi0 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 27 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ba7299aa-ec4b-441d-acef-c9c2034cccd7

📥 Commits

Reviewing files that changed from the base of the PR and between f30f90f and 289e90a.

📒 Files selected for processing (4)
  • src/middleware/web-incoming.ts
  • src/middleware/ws-incoming.ts
  • test/middleware/web-incoming.test.ts
  • test/middleware/ws-incoming.test.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/xheader-duplicates

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 25, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.12%. Comparing base (f30f90f) to head (289e90a).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #120   +/-   ##
=======================================
  Coverage   96.12%   96.12%           
=======================================
  Files           8        8           
  Lines         645      645           
  Branches      243      241    -2     
=======================================
  Hits          620      620           
  Misses         24       24           
  Partials        1        1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pi0 pi0 merged commit 1aba9fb into main Mar 25, 2026
7 checks passed
@pi0 pi0 mentioned this pull request Mar 25, 2026
Closed
@pi0 pi0 deleted the fix/xheader-duplicates branch March 25, 2026 20:28
@pi0 pi0 mentioned this pull request Mar 25, 2026
Open
58 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pi0