feat(@angular/ssr): support the standard Forwarded header

alan-agius4 · web-flow · commit 7ef9ed24d3c1 · 2026-06-23T10:45:19.000+02:00
This commit adds support for the standard RFC 7239 `Forwarded` header in the Angular SSR request parsing and validation layers.
diff --git a/packages/angular/ssr/node/src/request.ts b/packages/angular/ssr/node/src/request.ts
@@ -12,6 +12,7 @@ import {
   getFirstHeaderValue,
   isProxyHeaderAllowed,
   normalizeTrustProxyHeaders,
+  parseForwardedHeader,
 } from '../../src/utils/validation';
 
 /**
@@ -40,7 +41,7 @@ const HTTP2_PSEUDO_HEADERS: ReadonlySet<string> = new Set([
  * @param trustProxyHeaders - A boolean or an array of proxy headers to trust when constructing the request URL.
  *
  * @remarks
- * When `trustProxyHeaders` is enabled, headers such as `X-Forwarded-Host` and
+ * When `trustProxyHeaders` is enabled, headers such as `Forwarded`, `X-Forwarded-Host`, and
  * `X-Forwarded-Prefix` should ideally be strictly validated at a higher infrastructure
  * level (e.g., at the reverse proxy or API gateway) before reaching the application.
  *
@@ -97,7 +98,7 @@ function createRequestHeaders(nodeHeaders: IncomingHttpHeaders): Headers {
  * @param trustProxyHeaders - A set of allowed proxy headers.
  *
  * @remarks
- * When `trustProxyHeaders` is enabled, headers such as `X-Forwarded-Host` and
+ * When `trustProxyHeaders` is enabled, headers such as `Forwarded`, `X-Forwarded-Host`, and
  * `X-Forwarded-Prefix` should ideally be strictly validated at a higher infrastructure
  * level (e.g., at the reverse proxy or API gateway) before reaching the application.
  *
@@ -114,11 +115,16 @@ export function createRequestUrl(
     originalUrl,
   } = nodeRequest as IncomingMessage & { originalUrl?: string };
 
+  const forwardedHeaderValue = getAllowedProxyHeaderValue(headers, 'forwarded', trustProxyHeaders);
+  const forwardedParams = parseForwardedHeader(forwardedHeaderValue);
+
   const protocol =
+    forwardedParams.proto ??
     getAllowedProxyHeaderValue(headers, 'x-forwarded-proto', trustProxyHeaders) ??
     ('encrypted' in socket && socket.encrypted ? 'https' : 'http');
 
   const hostname =
+    forwardedParams.host ??
     getAllowedProxyHeaderValue(headers, 'x-forwarded-host', trustProxyHeaders) ??
     headers.host ??
     headers[':authority'];
diff --git a/packages/angular/ssr/node/test/request_spec.ts b/packages/angular/ssr/node/test/request_spec.ts
@@ -153,4 +153,62 @@ describe('createRequestUrl', () => {
     );
     expect(url.href).toBe('https://example.com:8443/test');
   });
+
+  it('should prioritize "forwarded" header over standard and x-forwarded headers', () => {
+    const url = createRequestUrl(
+      createRequest({
+        headers: {
+          host: 'localhost:8080',
+          'x-forwarded-host': 'other.com',
+          'x-forwarded-proto': 'http',
+          'forwarded': 'host=example.com;proto=https',
+        },
+        url: '/test',
+      }),
+      normalizeTrustProxyHeaders(true),
+    );
+    expect(url.href).toBe('https://example.com/test');
+  });
+
+  it('should parse forwarded parameters correctly (including quoted values)', () => {
+    const url = createRequestUrl(
+      createRequest({
+        headers: {
+          host: 'localhost:8080',
+          'forwarded': 'host="example.com:8443";proto="https"',
+        },
+        url: '/test',
+      }),
+      normalizeTrustProxyHeaders(true),
+    );
+    expect(url.href).toBe('https://example.com:8443/test');
+  });
+
+  it('should not treat parameters inside quoted values as top-level parameters in "forwarded" header', () => {
+    const url = createRequestUrl(
+      createRequest({
+        headers: {
+          host: 'localhost:8080',
+          'forwarded': 'for="192.0.2.60;host=evil.com";proto=https',
+        },
+        url: '/test',
+      }),
+      normalizeTrustProxyHeaders(true),
+    );
+    expect(url.href).toBe('https://localhost:8080/test');
+  });
+
+  it('should ignore "forwarded" header when it is not trusted', () => {
+    const url = createRequestUrl(
+      createRequest({
+        headers: {
+          host: 'localhost:8080',
+          'forwarded': 'host=example.com;proto=https',
+        },
+        url: '/test',
+      }),
+      normalizeTrustProxyHeaders(false),
+    );
+    expect(url.href).toBe('http://localhost:8080/test');
+  });
 });
diff --git a/packages/angular/ssr/src/app-engine.ts b/packages/angular/ssr/src/app-engine.ts
@@ -28,12 +28,12 @@ export interface AngularAppEngineOptions {
   allowedHosts?: readonly string[];
 
   /**
-   * Extends the scope of trusted proxy headers (`X-Forwarded-*`).
+   * Extends the scope of trusted proxy headers (`Forwarded` or `X-Forwarded-*`).
    *
    * @remarks
    * **This is a security-sensitive option!**
    *
-   * When `trustProxyHeaders` is enabled, request headers such as `X-Forwarded-Host` and
+   * When `trustProxyHeaders` is enabled, request headers such as `Forwarded`, `X-Forwarded-Host`, and
    * `X-Forwarded-Prefix` are trusted by the server and used for routing. These
    * headers must be strictly validated and provided by a trusted client (e.g., at a reverse proxy, load
    * balancer, or API gateway) and must *not* be provided by untrusted end users.
diff --git a/packages/angular/ssr/src/utils/validation.ts b/packages/angular/ssr/src/utils/validation.ts
@@ -103,7 +103,8 @@ export function sanitizeRequestHeaders(
 
   for (const [key, value] of request.headers) {
     const lowerKey = key.toLowerCase();
-    if (lowerKey.startsWith('x-forwarded-') && !isProxyHeaderAllowed(lowerKey, trustProxyHeaders)) {
+    const isProxyHeader = lowerKey === 'forwarded' || lowerKey.startsWith('x-forwarded-');
+    if (isProxyHeader && !isProxyHeaderAllowed(lowerKey, trustProxyHeaders)) {
       // eslint-disable-next-line no-console
       console.warn(
         `Received "${key}" header but "trustProxyHeaders" was not set up to allow it.\n` +
@@ -199,6 +200,17 @@ function validateHeaders(
     }
   }
 
+  const forwarded = headers.get('forwarded');
+  if (forwarded) {
+    const forwardedParams = parseForwardedHeader(forwarded);
+    if (forwardedParams.host && !disableHostCheck) {
+      verifyHostAllowed('Forwarded "host"', forwardedParams.host, allowedHosts);
+    }
+    if (forwardedParams.proto && !VALID_PROTO_REGEX.test(forwardedParams.proto)) {
+      throw new Error('Header "forwarded" proto parameter must be either "http" or "https".');
+    }
+  }
+
   const xForwardedPort = getFirstHeaderValue(headers.get('x-forwarded-port'));
   if (xForwardedPort && !VALID_PORT_REGEX.test(xForwardedPort)) {
     throw new Error('Header "x-forwarded-port" must be a numeric value.');
@@ -251,12 +263,158 @@ export function normalizeTrustProxyHeaders(
     return new Set([TRUST_ALL_PROXY_HEADERS]);
   }
 
-  const normalizedTrustedProxyHeaders = new Set(trustProxyHeaders.map((h) => h.toLowerCase()));
-  if (normalizedTrustedProxyHeaders.has(TRUST_ALL_PROXY_HEADERS)) {
-    throw new Error(
-      `"${TRUST_ALL_PROXY_HEADERS}" is not allowed as a value for the "trustProxyHeaders" option.`,
-    );
+  const normalizedTrustedProxyHeaders = new Set<string>();
+  for (const header of trustProxyHeaders) {
+    const lowerHeader = header.toLowerCase();
+    if (lowerHeader === TRUST_ALL_PROXY_HEADERS) {
+      throw new Error(
+        `"${TRUST_ALL_PROXY_HEADERS}" is not allowed as a value for the "trustProxyHeaders" option.`,
+      );
+    }
+    const isValid = lowerHeader === 'forwarded' || lowerHeader.startsWith('x-forwarded-');
+    if (!isValid) {
+      throw new Error(
+        `"${header}" is not a valid proxy header. Trusted proxy headers must be "forwarded" or start with "x-forwarded-".`,
+      );
+    }
+    normalizedTrustedProxyHeaders.add(lowerHeader);
   }
 
   return normalizedTrustedProxyHeaders;
 }
+
+/**
+ * Parses the standard `Forwarded` header (RFC 7239).
+ * It extracts the parameters from the first (leftmost) element in the header.
+ *
+ * @param headerValue - The value of the `Forwarded` header.
+ * @returns A record of lowercase parameter names to their values.
+ */
+export function parseForwardedHeader(
+  headerValue: string | null | undefined,
+): Record<string, string> {
+  if (!headerValue) {
+    return {};
+  }
+
+  const params: Record<string, string> = {};
+  let inQuotes = false;
+  let escaped = false;
+  let currentKey = '';
+  let currentValue = '';
+  let isParsingValue = false;
+  let isKeyEnded = false;
+  let isParsingValueEnded = false;
+
+  for (const char of headerValue) {
+    if (escaped) {
+      escaped = false;
+      if (isParsingValue) {
+        currentValue += char;
+      } else {
+        currentKey += char;
+      }
+      continue;
+    }
+
+    if (char === '\\') {
+      if (inQuotes) {
+        escaped = true;
+      } else if (isParsingValue) {
+        currentValue += char;
+      } else {
+        currentKey += char;
+      }
+      continue;
+    }
+
+    if (char === '"') {
+      inQuotes = !inQuotes;
+      continue;
+    }
+
+    if (inQuotes) {
+      if (isParsingValue) {
+        currentValue += char;
+      } else {
+        currentKey += char;
+      }
+      continue;
+    }
+
+    if (char === ',') {
+      addParam(currentKey, currentValue, isParsingValue, params);
+      break;
+    }
+
+    if (char === ';') {
+      addParam(currentKey, currentValue, isParsingValue, params);
+      currentKey = '';
+      currentValue = '';
+      isParsingValue = false;
+      isKeyEnded = false;
+      isParsingValueEnded = false;
+      continue;
+    }
+
+    if (char === '=') {
+      if (!isParsingValue) {
+        isParsingValue = true;
+      } else {
+        currentValue += char;
+      }
+      continue;
+    }
+
+    if (char === ' ' || char === '\t') {
+      if (isParsingValue) {
+        if (currentValue.length > 0) {
+          isParsingValueEnded = true;
+        }
+      } else if (currentKey.length > 0) {
+        isKeyEnded = true;
+      }
+      continue;
+    }
+
+    if (isParsingValue) {
+      if (!isParsingValueEnded) {
+        currentValue += char;
+      }
+    } else if (isKeyEnded) {
+      currentKey = char;
+      isKeyEnded = false;
+    } else {
+      currentKey += char;
+    }
+  }
+
+  if (currentKey || currentValue || isParsingValue) {
+    addParam(currentKey, currentValue, isParsingValue, params);
+  }
+
+  return params;
+}
+
+/**
+ * Helper function to add a parameter to the params object.
+ * @param key - The key to add.
+ * @param value - The value to add.
+ * @param hasValue - Whether the parameter has a value.
+ * @param params - The params object to add the parameter to.
+ */
+function addParam(
+  key: string,
+  value: string,
+  hasValue: boolean,
+  params: Record<string, string>,
+): void {
+  if (!hasValue) {
+    return;
+  }
+
+  const trimmedKey = key.trim().toLowerCase();
+  if (trimmedKey) {
+    params[trimmedKey] = value;
+  }
+}
diff --git a/packages/angular/ssr/test/utils/validation_spec.ts b/packages/angular/ssr/test/utils/validation_spec.ts

Original file line number	Diff line number	Diff line change
`@@ -28,12 +28,12 @@ export interface AngularAppEngineOptions {`
`28`	`28`	`allowedHosts?: readonly string[];`
`29`	`29`
`30`	`30`	`/**`
`31`		- * Extends the scope of trusted proxy headers (`X-Forwarded-*`).
	`31`	+ * Extends the scope of trusted proxy headers (`Forwarded` or `X-Forwarded-*`).
`32`	`32`	`*`
`33`	`33`	`* @remarks`
`34`	`34`	`* This is a security-sensitive option!`
`35`	`35`	`*`
`36`		- * When `trustProxyHeaders` is enabled, request headers such as `X-Forwarded-Host` and
	`36`	+ * When `trustProxyHeaders` is enabled, request headers such as `Forwarded`, `X-Forwarded-Host`, and
`37`	`37`	* `X-Forwarded-Prefix` are trusted by the server and used for routing. These
`38`	`38`	`* headers must be strictly validated and provided by a trusted client (e.g., at a reverse proxy, load`
`39`	`39`	`* balancer, or API gateway) and must not be provided by untrusted end users.`