zitadel

mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 20:47:32 +00:00

Files

Livio Spring 373f9fd418 fix: validate proto header and provide https enforcement (#9975 )

# Which Problems Are Solved

ZITADEL uses the notification triggering requests Forwarded or
X-Forwarded-Proto header to build the button link sent in emails for
confirming a password reset with the emailed code. If this header is
overwritten and a user clicks the link to a malicious site in the email,
the secret code can be retrieved and used to reset the users password
and take over his account.

Accounts with MFA or Passwordless enabled can not be taken over by this
attack.

# How the Problems Are Solved

- The `X-Forwarded-Proto` and `proto` of the Forwarded headers are
validated (http / https).
- Additionally, when exposing ZITADEL through https. An overwrite to
http is no longer possible.

# Additional Changes

None

# Additional Context

None

(cherry picked from commit c097887bc5)

2025-05-28 10:37:09 +02:00

middleware

fix: validate proto header and provide https enforcement (#9975 )

2025-05-28 10:37:09 +02:00

cookie.go

fix: set user agent cookie on host only (without subdomains) (#7297 )

2024-02-15 07:53:59 +01:00

domain_check.go

feat: api v2beta to api v2 (#8283 )

2024-07-26 22:39:55 +02:00

error_test.go

fix: add information about target response into error message if inte… (#8281 )