Skip to content
This repository has been archived by the owner on Dec 11, 2022. It is now read-only.

fix: Include X-Forwarded-Proto header on Hydra GET requests #35

Merged
merged 1 commit into from
Aug 4, 2020
Merged

fix: Include X-Forwarded-Proto header on Hydra GET requests #35

merged 1 commit into from
Aug 4, 2020

Conversation

samkelleher
Copy link
Contributor

Adds the X-Forwarded-Proto to all GET requests to Hydras admin endpoint, as already exists for PUT requests.

Background

When Hydra is run in production, it requires https connections. Except when run behind a load balancer that does TLS termination for example, in which case it will accept http requests from an allowed list of IP addresses that also contain the forwarded headed, as described here. If hydra is run with --dangerous-force-http then this header is also not needed, but this is not advisable for prod, and breaks the SameSite+Secure cookies which chrome rejects.

Without the header, the request is rejected by Hydra. This PR adds the header to GET requests and is controlled the same way, by an env var flag.

Signed-off-by: Sam Kelleher [email protected]

rosshadden
rosshadden approved these changes Aug 4, 2020
View reviewed changes
Copy link
Contributor

@rosshadden rosshadden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@rosshadden rosshadden merged commit a91ded0 into reactioncommerce:trunk Aug 4, 2020
@kieckhafer kieckhafer mentioned this pull request Aug 4, 2020
Merged
This was referenced Aug 5, 2020
Merged
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rosshadden rosshadden rosshadden approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@samkelleher @rosshadden