Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi everyone, what was the reasoning behind this PR? <https://github.com/ory/kratos/pull/4048>

Was using request headers to grab the client IP and other metadata, and this list seems very arbitrary.

I believe the reason was to not accidentally leak information to webhook targets (especially in Ory Network). The list is a combination of common headers sent by the browser, as well as headers we deemed safe.

What specific headers are you missing?

It's the first time I'm seeing True-Client-Ip be exclusively used for client IPs, and my proxy didn't include that- would it be possible to split this into a config value? I could possibly work on it if yes