fix: Add security header stripping in vcl_recv + test#126
Conversation
|
That error was more annoying to find the fix for - caused by fresh pulling in v9 not 7.x (Or pin to 7.x I suppose is an option) |
|
@toonvd @peterjaap Any chance you can review this and #127 ? Thanks! |
|
Should be solved at offload or webserver level imho. Magento (and a lot of hostings) use Varnish for caching, not for security. |
|
I don't know anyone who uses varnish as their security layer to be fair, but its the swiss cheese model/defensive posturing. Not everyone who uses this will have something in front, or something in-between (that strips them) to handle this, its just a small addition to ensure this VCL isnt one of those holes. |
Varnish VCL forwarding some known abusable headers to the Magento backend.