bryancall commented on issue #6334:
URL: https://github.com/apache/trafficserver/issues/6334#issuecomment-4827338484

   The core of this request, default-deny access control over which XDebug 
headers a client can request, was implemented in 
https://github.com/apache/trafficserver/pull/9249 ("Add enable option to xdebug 
plugin"), first released in 10.0.0. All debug headers are now disabled by 
default and must be selectively enabled by the operator, for example 
"--enable=x-remap,x-cache", which mirrors the allow-list suggested here. If a 
client requests a header that has not been enabled, the plugin will not inject 
it. The optional IP allow-list idea was not added as a plugin option (IP-based 
gating can be handled in remap.config / ip_allow ahead of the plugin), but the 
main concern about sensitive and computationally expensive fields being exposed 
by default is addressed. Closing as resolved; please reopen or file a focused 
follow-up if the IP allow-list is still wanted.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to