Class ForwardedHeaderTransformer

All Implemented Interfaces:

public class ForwardedHeaderTransformer extends Object implements Function<ServerHttpRequest,ServerHttpRequest>
Extract values from "Forwarded" and "X-Forwarded-*" headers to override the request URI (i.e. HttpRequest.getURI()) so it reflects the client-originated protocol and address.

An instance of this class is typically declared as a bean with the name "forwardedHeaderTransformer" and detected by WebHttpHandlerBuilder.applicationContext(ApplicationContext), or it can also be registered directly via WebHttpHandlerBuilder.forwardedHeaderTransformer(ForwardedHeaderTransformer).

There are security considerations for forwarded headers since an application cannot know if the headers were added by a proxy, as intended, or by a malicious client. This is why a proxy at the boundary of trust should be configured to remove untrusted Forwarded headers that come from the outside.

You can also configure the ForwardedHeaderFilter with removeOnly, in which case it removes but does not use the headers.

Rossen Stoyanchev
See Also:
  • Constructor Details

    • ForwardedHeaderTransformer

      public ForwardedHeaderTransformer()
  • Method Details

    • setRemoveOnly

      public void setRemoveOnly(boolean removeOnly)
      Enable mode in which any "Forwarded" or "X-Forwarded-*" headers are removed only and the information in them ignored.
      removeOnly - whether to discard and ignore forwarded headers
    • isRemoveOnly

      public boolean isRemoveOnly()
      Whether the "remove only" mode is on.
      See Also:
    • apply

      public ServerHttpRequest apply(ServerHttpRequest request)
      Apply and remove, or remove Forwarded type headers.
      Specified by:
      apply in interface Function<ServerHttpRequest,ServerHttpRequest>
      request - the request
    • hasForwardedHeaders

      protected boolean hasForwardedHeaders(ServerHttpRequest request)
      Whether the request has any Forwarded headers.
      request - the request