bryancall commented on issue #6334: URL: https://github.com/apache/trafficserver/issues/6334#issuecomment-4827338484
The core of this request, default-deny access control over which XDebug headers a client can request, was implemented in https://github.com/apache/trafficserver/pull/9249 ("Add enable option to xdebug plugin"), first released in 10.0.0. All debug headers are now disabled by default and must be selectively enabled by the operator, for example "--enable=x-remap,x-cache", which mirrors the allow-list suggested here. If a client requests a header that has not been enabled, the plugin will not inject it. The optional IP allow-list idea was not added as a plugin option (IP-based gating can be handled in remap.config / ip_allow ahead of the plugin), but the main concern about sensitive and computationally expensive fields being exposed by default is addressed. Closing as resolved; please reopen or file a focused follow-up if the IP allow-list is still wanted. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
