The web server responds to TRACE method requests by
echoing the received request.
Security implication
This can reveal sensitive information, like internal authentication headers added by reverse proxies, such as an authorization header.
This is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through a proxy server.
The header is an HTTP multi-valued header, which means that it can have one or more values, each separated by a comma.
This header is not added by default
X-Forwarded-For: 2001:DB8::6, 192.0.2.1 Let us
consider an incoming TCP connection from 127.0.0.1. This implies
that the client had IPv6 address 2001:DB8::6 when connecting to the
first proxy, then that proxy used IPv4 to connect from 192.0.2.1 to
the final proxy, which was running on localhost.
$_SERVER['REMOTE_ADDR'] contains actual physical IP
address that the web server received the connection from and that
the response will be sent to.$_SERVER['HTTP_X_FORWARDED_FOR'] this value is
easily spoofed. Security implication
The X-Forwarded-Host (XFH) header is a de-facto
standard header for identifying the original host requested by the
client in the Host HTTP request header.
Security implication
Test this header when you need to verify a link generated by the
application. For example, a password reset email might contain a
link like
https://website.com/reset-password?token=<token>.
By modifying this header, you can control “website.com”.
Some applications support non-standard headers such these in order to allow overriding the target URL in requests with the one specified in the header value.
Security implication
Security implication