Skip to content

feat(@angular/ssr): support the standard Forwarded header#33406

Open
alan-agius4 wants to merge 1 commit into
angular:mainfrom
alan-agius4:feat/forwarded-header
Open

feat(@angular/ssr): support the standard Forwarded header#33406
alan-agius4 wants to merge 1 commit into
angular:mainfrom
alan-agius4:feat/forwarded-header

Conversation

@alan-agius4

@alan-agius4 alan-agius4 commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

This commit adds support for the standard RFC 7239 Forwarded header in the Angular SSR request parsing and validation layers.

Previously, only non-standard x-forwarded-* headers were supported for resolving proxy-forwarded protocols, hosts, and ports. With this change:

  • A new parseForwardedHeader utility is added to parse standard Forwarded header parameters (such as host and proto), correctly handling quoted values and escaped characters.
  • In createRequestUrl, if the Forwarded header is trusted (via trustProxyHeaders configuration), its host and proto parameters are extracted and take precedence over corresponding x-forwarded-host and x-forwarded-proto headers.
  • Request validation is updated to verify the validity of Forwarded host and proto parameters.
  • Request sanitization is updated to scrub or retain the Forwarded header based on the configured trusted proxy headers.

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Forwarded

@alan-agius4 alan-agius4 requested a review from dgp1130 June 18, 2026 08:01
@alan-agius4 alan-agius4 added the target: minor This PR is targeted for the next minor release label Jun 18, 2026
@angular-robot angular-robot Bot added detected: feature PR contains a feature commit area: @angular/ssr labels Jun 18, 2026
@alan-agius4 alan-agius4 force-pushed the feat/forwarded-header branch from ff18569 to fdb4c43 Compare June 18, 2026 08:03
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 18, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds support for parsing and validating the standard RFC 7239 Forwarded header in Angular SSR, prioritizing it over standard and x-forwarded-* headers when trusted. The review feedback highlights a critical issue in parseForwardedHeader where splitting the header value by semicolons blindly fails if a quoted parameter value contains a semicolon. The reviewer suggests using a robust regular expression to parse the parameters correctly and adding a corresponding test case to cover this scenario.

Comment thread packages/angular/ssr/src/utils/validation.ts
Comment thread packages/angular/ssr/node/test/request_spec.ts
@alan-agius4
feat(@angular/ssr): support the standard Forwarded header
9b93c32 
This commit adds support for the standard RFC 7239 `Forwarded` header in the Angular SSR request parsing and validation layers.

Previously, only non-standard `x-forwarded-*` headers were supported for resolving proxy-forwarded protocols, hosts, and ports. With this change:
- A new `parseForwardedHeader` utility is added to parse standard `Forwarded` header parameters (such as `host` and `proto`), correctly handling quoted values and escaped characters.
- In `createRequestUrl`, if the `Forwarded` header is trusted (via `trustProxyHeaders` configuration), its `host` and `proto` parameters are extracted and take precedence over corresponding `x-forwarded-host` and `x-forwarded-proto` headers.
- Request validation is updated to verify the validity of `Forwarded` host and proto parameters.
- Request sanitization is updated to scrub or retain the `Forwarded` header based on the configured trusted proxy headers.

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Forwarded
@alan-agius4 alan-agius4 force-pushed the feat/forwarded-header branch from fdb4c43 to 9b93c32 Compare June 18, 2026 08:09
@alan-agius4 alan-agius4 mentioned this pull request Jun 18, 2026
Open
@alan-agius4 alan-agius4 added the action: review The PR is still awaiting reviews from at least one requested reviewer label Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgp1130 dgp1130 Awaiting requested review from dgp1130

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: review The PR is still awaiting reviews from at least one requested reviewer area: @angular/ssr detected: feature PR contains a feature commit target: minor This PR is targeted for the next minor release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alan-agius4