https://bz.apache.org/bugzilla/show_bug.cgi?id=61355
--- Comment #5 from William A. Rowe Jr. <wr...@apache.org> --- > [The] following config is the same threat: > > SetEnvIf X-Forwarded-Proto https HTTPS=on > SetEnvIf X-Forwarded-Proto https REQUEST_SCHEME=https > > And this is recommended everywhere to do! Yes. That is a threat, unless the internally-trusted front end ahead of all external routes to that server unilaterally clears and then forces the true value of the X-F-P header. When you do see that recommended, you would be doing a great service to comment on the potential hazard of those directives. Thank you for your patch submission. Entirely returned from holiday schedules, so I'll examine your patch shortly. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org