eric/multi-domain-redux
1
0
Fork 0
Code Issues Pull requests Projects Releases 3 Packages Wiki Activity Actions

docs: document proxy stripping requirement for TRUST_PROXY mode #2

Merged
eric merged 1 commit from docs/trust-proxy-hardening-note into main 2026-06-27 14:56:46 -07:00
Conversation 0 Commits 1 Files changed 3 +26
eric commented 2026-06-27 14:44:40 -07:00
Owner
Copy link

Summary

  • README: expands the trusted-proxy section with an explicit requirement to strip X-Forwarded-Host at the proxy, an nginx config example, and a list of exactly which headers are honored (X-Forwarded-Host, X-Forwarded-Proto only)
  • Settings UI: adds a description note beneath the define() snippet so operators see the requirement at configuration time, not just in the docs
  • .pot: adds the new translatable string

Motivation

Hardening note #1 from the 2026-06-27 security audit. Not a vulnerability — TRUST_PROXY is an explicit opt-in — but the proxy configuration requirement was undocumented and operators could enable the constant without realising the proxy must also be configured to strip the header from clients.

Test plan

  • composer lint — clean
  • No logic changes; no unit tests required

🤖 Generated with Claude Code

## Summary - **README:** expands the trusted-proxy section with an explicit requirement to strip `X-Forwarded-Host` at the proxy, an nginx config example, and a list of exactly which headers are honored (`X-Forwarded-Host`, `X-Forwarded-Proto` only) - **Settings UI:** adds a description note beneath the `define()` snippet so operators see the requirement at configuration time, not just in the docs - **.pot:** adds the new translatable string ## Motivation Hardening note #1 from the 2026-06-27 security audit. Not a vulnerability — `TRUST_PROXY` is an explicit opt-in — but the proxy configuration requirement was undocumented and operators could enable the constant without realising the proxy must also be configured to strip the header from clients. ## Test plan - [x] `composer lint` — clean - [x] No logic changes; no unit tests required 🤖 Generated with [Claude Code](https://claude.com/claude-code)
docs: document proxy stripping requirement for TRUST_PROXY mode
All checks were successful
CI / Lint + Static Analysis (pull_request) Successful in 47s
Details
CI / Unit Tests (PHP 8.2) (pull_request) Successful in 46s
Details
CI / Unit Tests (PHP 8.3) (pull_request) Successful in 1m8s
Details
CI / Unit Tests (PHP 8.4) (pull_request) Successful in 1m13s
Details
CI / Unit Tests (PHP 8.5) (pull_request) Successful in 1m9s
Details
360e31fa62 
Adds explicit guidance that operators must configure their reverse proxy
to strip X-Forwarded-Host from inbound client requests and inject it
only server-side. Without this, enabling TRUST_PROXY provides no
protection against host spoofing.

README: expands the trusted-proxy section with the requirement, an nginx
example, and an explicit list of which headers are honored.
Settings UI: adds a description note directly beneath the code snippet
so operators see it at configuration time.
.pot: adds the new translatable settings UI string.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
eric merged commit 1b93bc53fd into main 2026-06-27 14:56:46 -07:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eric/multi-domain-redux!2
No description provided.