diff --git a/src/node/http.ts b/src/node/http.ts index 0d9e2f6f1fb0..742ff0f17fec 100644 --- a/src/node/http.ts +++ b/src/node/http.ts @@ -386,10 +386,14 @@ function getHost(req: express.Request): string | undefined { } } - // Honor X-Forwarded-Host if present. + // Honor X-Forwarded-Host if present. Some reverse proxies will set multiple + // comma-separated hosts. const xHost = getFirstHeader(req, "x-forwarded-host") if (xHost) { - return xHost.trim().toLowerCase() + const firstXHost = xHost.split(",")[0] + if (firstXHost) { + return firstXHost.trim().toLowerCase() + } } const host = getFirstHeader(req, "host") diff --git a/test/unit/node/http.test.ts b/test/unit/node/http.test.ts index d9f0271e3e81..59a09dc87eb1 100644 --- a/test/unit/node/http.test.ts +++ b/test/unit/node/http.test.ts @@ -58,6 +58,7 @@ describe("http", () => { ;[ ["host", test.host], ["x-forwarded-host", test.host], + ["x-forwarded-host", `${test.host}, ${test.host}`], ["forwarded", `for=127.0.0.1, host=${test.host}, proto=http`], ["forwarded", `for=127.0.0.1;proto=http;host=${test.host}`], ["forwarded", `proto=http;host=${test.host}, for=127.0.0.1`],