From 8eb1542f64075b0c7e6bc88f8dca6ada3387aa8a Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 16 Mar 2023 08:07:57 +0100
Subject: [PATCH 1/2] Paranoia: drop the headers we don't use

---
 core/nginx/conf/proxy.conf | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/core/nginx/conf/proxy.conf b/core/nginx/conf/proxy.conf
index e4ff6c93..d0629b97 100644
--- a/core/nginx/conf/proxy.conf
+++ b/core/nginx/conf/proxy.conf
@@ -1,8 +1,9 @@
 # Default proxy setup
 proxy_set_header Host $http_host;
 proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header True-Client-IP $remote_addr;
-proxy_set_header Forwarded "";
+proxy_hide_header True-Client-IP;
+proxy_hide_header CF-Connecting-IP;
+
 proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
 {% if REAL_IP_HEADER and REAL_IP_FROM %}
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -10,3 +11,8 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-For $remote_addr;
 {% endif %}
 proxy_http_version 1.1;
+proxy_hide_header Forwarded;
+proxy_hide_header X-Forwarded-Host;
+proxy_hide_header X-Forwarded-Server;
+proxy_hide_header X-Host;
+proxy_hide_header X-HTTP-Host-Override;

From 698f1f377c443ef7ffe13072ad4ebcc7293b39e2 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 16 Mar 2023 08:12:46 +0100
Subject: [PATCH 2/2] Check
 https://attackshipsonfi.re/p/exploiting-cors-misconfigurations out

---
 core/nginx/conf/proxy.conf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/core/nginx/conf/proxy.conf b/core/nginx/conf/proxy.conf
index d0629b97..caad476b 100644
--- a/core/nginx/conf/proxy.conf
+++ b/core/nginx/conf/proxy.conf
@@ -16,3 +16,12 @@ proxy_hide_header X-Forwarded-Host;
 proxy_hide_header X-Forwarded-Server;
 proxy_hide_header X-Host;
 proxy_hide_header X-HTTP-Host-Override;
+
+proxy_hide_header X-Original-URL;
+proxy_hide_header X-Rewrite-URL;
+proxy_hide_header X-URL;
+
+proxy_hide_header X-HTTP-Method;
+proxy_hide_header X-HTTP-Method-Override;
+proxy_hide_header X-Method;
+proxy_hide_header X-Method-Override;