Users often connect to web servers through HTTP proxies.
Proxy can be configured to forward the client IP address via the X-Forwarded-For or Forwarded HTTP headers.
IP address is a personal information which can identify a single user and thus impact his privacy.
There is a risk if you answered yes to this question.
User IP address should not be forwarded unless the application needs it, as part of an authentication, authorization scheme or log management for examples.
var httpProxy = require('http-proxy');
httpProxy.createProxyServer({target:'http://localhost:9000', xfwd:true}) // Noncompliant
.listen(8000);
var express = require('express');
const { createProxyMiddleware } = require('http-proxy-middleware');
const app = express();
app.use('/proxy', createProxyMiddleware({ target: 'http://localhost:9000', changeOrigin: true, xfwd: true })); // Noncompliant
app.listen(3000);
var httpProxy = require('http-proxy');
// By default xfwd option is false
httpProxy.createProxyServer({target:'http://localhost:9000'}) // Compliant
.listen(8000);
var express = require('express');
const { createProxyMiddleware } = require('http-proxy-middleware');
const app = express();
// By default xfwd option is false
app.use('/proxy', createProxyMiddleware({ target: 'http://localhost:9000', changeOrigin: true})); // Compliant
app.listen(3000);