remove Heroku specific Req headers from being sent to Origin

-saves bytes, and avoids triggering IDS/WAF alarms since browser finger printing will prove these headers are unnatural and on SSL must be a MITM attack -leave x-forwarded-* intact since they can be used to block CORS proxy abuse if the not-CORS origin webmaster really has to block the proxy and they are not unique to Heroku platform
2026-05-13 15:09:25 +00:00 · 2020-09-24 17:55:56 -04:00
parent a0309e6c47
commit 7271e29f21
1 changed files with 8 additions and 0 deletions
--- a/server.js
+++ b/server.js
@@ -33,6 +33,14 @@ cors_proxy.createServer({
    'x-heroku-queue-depth',
    'x-heroku-dynos-in-use',
    'x-request-start',
+    'x-request-id',
+    'via',
+    'connect-time',
+    'total-route-time',
+    // Other Heroku added debug headers
+    // 'x-forwarded-for',
+    // 'x-forwarded-proto',
+    // 'x-forwarded-port',
  ],
  redirectSameOrigin: true,
  httpProxyOptions: {