mirror of
https://github.com/golang/go.git
synced 2025-12-07 13:50:04 +00:00
53845004d6
The Director function has been superseded by Rewrite. Rewrite avoids fundamental security issues with hop-by-hop header handling in the Director API and has better default handling of X-Forwarded-* headers. Fixes #73161 Change-Id: Iadaf3070e0082458f79fb892ade51cb7ce832802 Reviewed-on: https://go-review.googlesource.com/c/go/+/708615 Reviewed-by: Nicholas Husin <husin@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Nicholas Husin <nsh@golang.org>
569 B
569 B
The [ReverseProxy.Director] configuration field is deprecated in favor of [ReverseProxy.Rewrite].
A malicious client can remove headers added by a Director function
by designating those headers as hop-by-hop. Since there is no way to address
this problem within the scope of the Director API, we added a new
Rewrite hook in Go 1.20. Rewrite hooks are provided with both the
unmodified inbound request received by the proxy and the outbound request
which will be sent by the proxy.
Since the Director hook is fundamentally unsafe, we are now deprecating it.