Mention security considerations in Forwarded filters

bclozel · bclozel · commit 9776929a9d0d · 2020-12-03T15:40:31.000+01:00
This commit improves the Javadoc for the `ForwardedHeaderFilter` (Servlet Filter) and `ForwardedHeaderTransformer` (reactive variant) so as to mention security considerations linked to Forwarded HTTP headers. Closes gh-26081
diff --git a/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java b/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java
@@ -56,8 +56,13 @@
  * <li>{@link HttpServletResponse#sendRedirect(String) sendRedirect(String)}.
  * </ul>
  *
- * <p>This filter can also be used in a {@link #setRemoveOnly removeOnly} mode
- * where "Forwarded" and "X-Forwarded-*" headers are eliminated, and not used.
+ * <p>There are security considerations for forwarded headers since an application
+ * cannot know if the headers were added by a proxy, as intended, or by a malicious
+ * client. This is why a proxy at the boundary of trust should be configured to
+ * remove untrusted Forwarded headers that come from the outside.
+ *
+ * <p>You can also configure the ForwardedHeaderFilter with {@link #setRemoveOnly removeOnly},
+ * in which case it removes but does not use the headers.
  *
  * @author Rossen Stoyanchev
  * @author Eddú Meléndez
diff --git a/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java b/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java
@@ -36,15 +36,20 @@
  * the request URI (i.e. {@link ServerHttpRequest#getURI()}) so it reflects
  * the client-originated protocol and address.
  *
- * <p>Alternatively if {@link #setRemoveOnly removeOnly} is set to "true",
- * then "Forwarded" and "X-Forwarded-*" headers are only removed, and not used.
- *
  * <p>An instance of this class is typically declared as a bean with the name
  * "forwardedHeaderTransformer" and detected by
  * {@link WebHttpHandlerBuilder#applicationContext(ApplicationContext)}, or it
  * can also be registered directly via
  * {@link WebHttpHandlerBuilder#forwardedHeaderTransformer(ForwardedHeaderTransformer)}.
  *
+ * <p>There are security considerations for forwarded headers since an application
+ * cannot know if the headers were added by a proxy, as intended, or by a malicious
+ * client. This is why a proxy at the boundary of trust should be configured to
+ * remove untrusted Forwarded headers that come from the outside.
+ *
+ * <p>You can also configure the ForwardedHeaderFilter with {@link #setRemoveOnly removeOnly},
+ * in which case it removes but does not use the headers.
+ *
  * @author Rossen Stoyanchev
  * @since 5.1
  * @see <a href="https://tools.ietf.org/html/rfc7239">https://tools.ietf.org/html/rfc7239</a>
