Nov 18, 2020 · Nov 4, 2020
diff --git a/deployment/proxies.rst b/deployment/proxies.rst
        ['192.0.0.1', '10.0.0.0/8'],

        // trust *all* "X-Forwarded-*" headers
        Request::HEADER_X_FORWARDED_ALL
        Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO

        // or, if your proxy instead uses the "Forwarded" header
        // Request::HEADER_FORWARDED

        // or, if you're usingAWS ELB
        // or, if you're usinga wellknown proxy
        // Request::HEADER_X_FORWARDED_AWS_ELB
        // Request::HEADER_X_FORWARDED_TRAEFIK
    );

 .. caution::

    Enabling the ``Request::HEADER_X_FORWARDED_HOST`` option exposes the
    application to "`HTTP Host header attacks`_". Make sure the proxy really
    send a ``x-forwarded-host`` header.

 The Request object has several ``Request::HEADER_*`` constants that control exactly
 *which* headers from your reverse proxy are trusted. The argument is a bit field,
 so you can also pass your own value (e.g. ``0b00110``).
 .. _`security groups`: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
 .. _`CloudFront`: https://en.wikipedia.org/wiki/Amazon_CloudFront
 .. _`CloudFront IP ranges`: https://ip-ranges.amazonaws.com/ip-ranges.json
 .. _`HTTP Host header attacks`: https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
diff --git a/migration.rst b/migration.rst
    if ($trustedProxies = $_SERVER['TRUSTED_PROXIES'] ?? $_ENV['TRUSTED_PROXIES'] ?? false) {
        Request::setTrustedProxies(
          explode(',', $trustedProxies),
          Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST
          Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO
        );
    }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -35,15 +35,22 @@ and what headers your reverse proxy uses to send information::
		['192.0.0.1', '10.0.0.0/8'],

		// trust all "X-Forwarded-*" headers
		Request::HEADER_X_FORWARDED_ALL
		Request::HEADER_X_FORWARDED_FOR \| Request::HEADER_X_FORWARDED_HOST \| Request::HEADER_X_FORWARDED_PORT \| Request::HEADER_X_FORWARDED_PROTO

		// or, if your proxy instead uses the "Forwarded" header
		// Request::HEADER_FORWARDED

		// or, if you're usingAWS ELB
		// or, if you're usinga wellknown proxy
		// Request::HEADER_X_FORWARDED_AWS_ELB
		// Request::HEADER_X_FORWARDED_TRAEFIK
		);

		.. caution::

		Enabling the ``Request::HEADER_X_FORWARDED_HOST`` option exposes the
		application to "`HTTP Host header attacks`_". Make sure the proxy really
		send a ``x-forwarded-host`` header.

		The Request object has several ``Request::HEADER_*`` constants that control exactly
		which headers from your reverse proxy are trusted. The argument is a bit field,
		so you can also pass your own value (e.g. ``0b00110``).
Expand DownExpand Up		@@ -114,3 +121,4 @@ In this case, you'll need to set the header ``X-Forwarded-Proto`` with the value
		.. _`security groups`: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
		.. _`CloudFront`: https://en.wikipedia.org/wiki/Amazon_CloudFront
		.. _`CloudFront IP ranges`: https://ip-ranges.amazonaws.com/ip-ranges.json
		.. _`HTTP Host header attacks`: https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
Original file line number	Diff line number	Diff line change
Expand Up		@@ -262,7 +262,7 @@ could look something like this::
		if ($trustedProxies = $_SERVER['TRUSTED_PROXIES'] ?? $_ENV['TRUSTED_PROXIES'] ?? false) {
		Request::setTrustedProxies(
		explode(',', $trustedProxies),
		Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST
		Request::HEADER_X_FORWARDED_FOR \| Request::HEADER_X_FORWARDED_PORT \| Request::HEADER_X_FORWARDED_PROTO
		);
		}

Expand Down