Problem/Motivation

Incorrect or incomplete reverse proxy configuration (for example, missing trusted proxy settings or improper handling of X-Forwarded-For/X-Forwarded-Proto headers) can allow client IP spoofing and incorrect HTTPS detection, breaking logging, rate limiting, and security decisions that depend on the real client IP and scheme.

Steps to reproduce

Proposed resolution

Add a new Security FitCheck plugin ReverseProxySafetyCheck that:

  • Inspects Drupal’s reverse proxy-related settings (such as reverse_proxy, trusted_proxies, and handling of forwarded headers) to verify they are explicitly configured and not overly permissive.
  • Fails with FitWeight::High when no trusted proxies are defined while reverse proxy usage is detected, or when the configuration trusts all sources, and passes with FitWeight::Ok when proxies and headers are set safely.
  • Reports any risky configuration in the FitResult with a short help message recommending explicit trusted proxy lists and correct use of X-Forwarded-For/X-Forwarded-Proto according to the site’s load balancer or CDN setup.

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork drupalfit-3558974

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

harivansh created an issue. See original summary.

harivansh’s picture

shubham.prakash made their first commit to this issue’s fork.

shubham.prakash’s picture

Status: Active » Needs review

harivansh’s picture

Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

harivansh’s picture

Status: Fixed » Closed (fixed)