From 7271e29f21974213296bf4fa3b3c263ce43c7b51 Mon Sep 17 00:00:00 2001
From: bulk88 <bulk88@hotmail.com>
Date: Thu, 24 Sep 2020 17:55:56 -0400
Subject: [PATCH] remove Heroku specific Req headers from being sent to Origin

-saves bytes, and avoids triggering IDS/WAF alarms since browser finger
 printing will prove these headers are unnatural and on SSL must be a MITM
 attack

-leave x-forwarded-* intact since they can be used to block CORS proxy
 abuse if the not-CORS origin webmaster really has to block the proxy
 and they are not unique to Heroku platform
---
 server.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server.js b/server.js
index fb3f84d..802ed24 100644
--- a/server.js
+++ b/server.js
@@ -33,6 +33,14 @@ cors_proxy.createServer({
     'x-heroku-queue-depth',
     'x-heroku-dynos-in-use',
     'x-request-start',
+    'x-request-id',
+    'via',
+    'connect-time',
+    'total-route-time',
+    // Other Heroku added debug headers
+    // 'x-forwarded-for',
+    // 'x-forwarded-proto',
+    // 'x-forwarded-port',
   ],
   redirectSameOrigin: true,
   httpProxyOptions: {