spring-cloud
diff --git a/‎docs/modules/ROOT/nav.adoc
Lines changed: 1 addition & 0 deletions b/‎docs/modules/ROOT/nav.adoc
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/modules/ROOT/pages/spring-cloud-gateway-server-mvc/httpheadersfilters.adoc
Lines changed: 45 additions & 0 deletions b/‎docs/modules/ROOT/pages/spring-cloud-gateway-server-mvc/httpheadersfilters.adoc
Lines changed: 45 additions & 0 deletions
diff --git a/‎docs/modules/ROOT/pages/spring-cloud-gateway/httpheadersfilters.adoc
Lines changed: 2 additions & 2 deletions b/‎docs/modules/ROOT/pages/spring-cloud-gateway/httpheadersfilters.adoc
Lines changed: 2 additions & 2 deletions
diff --git a/‎spring-cloud-gateway-server-mvc/src/main/java/org/springframework/cloud/gateway/server/mvc/GatewayServerMvcAutoConfiguration.java
Lines changed: 9 additions & 7 deletions b/‎spring-cloud-gateway-server-mvc/src/main/java/org/springframework/cloud/gateway/server/mvc/GatewayServerMvcAutoConfiguration.java
Lines changed: 9 additions & 7 deletions
diff --git a/‎spring-cloud-gateway-server-mvc/src/main/java/org/springframework/cloud/gateway/server/mvc/config/GatewayMvcProperties.java
Lines changed: 15 additions & 0 deletions b/‎spring-cloud-gateway-server-mvc/src/main/java/org/springframework/cloud/gateway/server/mvc/config/GatewayMvcProperties.java
Lines changed: 15 additions & 0 deletions
diff --git a/‎spring-cloud-gateway-server-mvc/src/main/java/org/springframework/cloud/gateway/server/mvc/filter/ForwardedRequestHeadersFilter.java
Lines changed: 40 additions & 3 deletions b/‎spring-cloud-gateway-server-mvc/src/main/java/org/springframework/cloud/gateway/server/mvc/filter/ForwardedRequestHeadersFilter.java
Lines changed: 40 additions & 3 deletions
diff --git a/‎spring-cloud-gateway-server-mvc/src/main/java/org/springframework/cloud/gateway/server/mvc/filter/TrustedProxies.java
Lines changed: 120 additions & 0 deletions b/‎spring-cloud-gateway-server-mvc/src/main/java/org/springframework/cloud/gateway/server/mvc/filter/TrustedProxies.java
Lines changed: 120 additions & 0 deletions
@@ -109,6 +109,7 @@
 *** xref:spring-cloud-gateway-server-mvc/filters/requestsize.adoc[]
 *** xref:spring-cloud-gateway-server-mvc/filters/setrequesthostheader.adoc[]
 *** xref:spring-cloud-gateway-server-mvc/filters/tokenrelay.adoc[]
+** xref:spring-cloud-gateway-server-mvc/httpheadersfilters.adoc[]
 ** xref:spring-cloud-gateway-server-mvc/writing-custom-predicates-and-filters.adoc[]
 ** xref:spring-cloud-gateway-server-mvc/working-with-servlets-and-filters.adoc[]
 
 
@@ -0,0 +1,45 @@
+[[httpheadersfilters]]
+= HttpHeadersFilters
+
+HttpHeadersFilters are applied to the requests before sending them downstream, such as in the `NettyRoutingFilter`.
+
+[[forwarded-headers-filter]]
+== Forwarded Headers Filter
+The `Forwarded` Headers Filter creates a `Forwarded` header to send to the downstream service. It adds the `Host` header, scheme and port of the current request to any existing `Forwarded` header. To activate this filter set the `spring.cloud.gateway.mvc.trusted-proxies` property to a Java Regular Expression. This regular expression defines the proxies that are trusted when they appear in the `Forwarded` header.
+
+[[removehopbyhop-headers-filter]]
+== RemoveHopByHop Headers Filter
+The `RemoveHopByHop` Headers Filter removes headers from forwarded requests. The default list of headers that is removed comes from the https://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-7.1.3[IETF].
+
+.The default removed headers are:
+*  Connection
+*  Keep-Alive
+*  Proxy-Authenticate
+*  Proxy-Authorization
+*  TE
+*  Trailer
+*  Transfer-Encoding
+*  Upgrade
+
+//To change this, set the `spring.cloud.gateway.filter.remove-hop-by-hop.headers` property to the list of header names to remove.
+
+[[xforwarded-headers-filter]]
+== XForwarded Headers Filter
+The `XForwarded` Headers Filter creates various `X-Forwarded-*` headers to send to the downstream service. It uses the `Host` header, scheme, port and path of the current request to create the various headers.  To activate this filter set the `spring.cloud.gateway.mvc.trusted-proxies` property to a Java Regular Expression. This regular expression defines the proxies that are trusted when they appear in the `Forwarded` header.
+
+Creating of individual headers can be controlled by the following boolean properties (defaults to true):
+
+- `spring.cloud.gateway.x-forwarded.for-enabled`
+- `spring.cloud.gateway.x-forwarded.host-enabled`
+- `spring.cloud.gateway.x-forwarded.port-enabled`
+- `spring.cloud.gateway.x-forwarded.proto-enabled`
+- `spring.cloud.gateway.x-forwarded.prefix-enabled`
+
+Appending multiple headers can be controlled by the following boolean properties (defaults to true):
+
+- `spring.cloud.gateway.x-forwarded.for-append`
+- `spring.cloud.gateway.x-forwarded.host-append`
+- `spring.cloud.gateway.x-forwarded.port-append`
+- `spring.cloud.gateway.x-forwarded.proto-append`
+- `spring.cloud.gateway.x-forwarded.prefix-append`
+
@@ -5,7 +5,7 @@
 
 [[forwarded-headers-filter]]
 == Forwarded Headers Filter
-The `Forwarded` Headers Filter creates a `Forwarded` header to send to the downstream service. It adds the `Host` header, scheme and port of the current request to any existing `Forwarded` header.
+The `Forwarded` Headers Filter creates a `Forwarded` header to send to the downstream service. It adds the `Host` header, scheme and port of the current request to any existing `Forwarded` header. To activate this filter set the `spring.cloud.gateway.trusted-proxies` property to a Java Regular Expression. This regular expression defines the proxies that are trusted when they appear in the `Forwarded` header.
 
 [[removehopbyhop-headers-filter]]
 == RemoveHopByHop Headers Filter
@@ -25,7 +25,7 @@ To change this, set the `spring.cloud.gateway.filter.remove-hop-by-hop.headers`
 
 [[xforwarded-headers-filter]]
 == XForwarded Headers Filter
-The `XForwarded` Headers Filter creates various `X-Forwarded-*` headers to send to the downstream service. It uses the `Host` header, scheme, port and path of the current request to create the various headers.
+The `XForwarded` Headers Filter creates various `X-Forwarded-*` headers to send to the downstream service. It uses the `Host` header, scheme, port and path of the current request to create the various headers.  To activate this filter set the `spring.cloud.gateway.trusted-proxies` property to a Java Regular Expression. This regular expression defines the proxies that are trusted when they appear in the `Forwarded` header.
 
 Creating of individual headers can be controlled by the following boolean properties (defaults to true):
 
 
@@ -41,6 +41,7 @@
 import org.springframework.cloud.gateway.server.mvc.filter.RemoveHopByHopResponseHeadersFilter;
 import org.springframework.cloud.gateway.server.mvc.filter.RemoveHttp2StatusResponseHeadersFilter;
 import org.springframework.cloud.gateway.server.mvc.filter.TransferEncodingNormalizationRequestHeadersFilter;
+import org.springframework.cloud.gateway.server.mvc.filter.TrustedProxies;
 import org.springframework.cloud.gateway.server.mvc.filter.WeightCalculatorFilter;
 import org.springframework.cloud.gateway.server.mvc.filter.XForwardedRequestHeadersFilter;
 import org.springframework.cloud.gateway.server.mvc.filter.XForwardedRequestHeadersFilterProperties;
@@ -50,6 +51,7 @@
 import org.springframework.cloud.gateway.server.mvc.predicate.PredicateDiscoverer;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Import;
 import org.springframework.core.env.Environment;
 import org.springframework.http.client.ClientHttpRequestFactory;
@@ -100,10 +102,9 @@ public FormFilter formFilter() {
 
 	@Bean
 	@ConditionalOnMissingBean
-	@ConditionalOnProperty(prefix = GatewayMvcProperties.PREFIX, name = "forwarded-request-headers-filter.enabled",
-			matchIfMissing = true)
-	public ForwardedRequestHeadersFilter forwardedRequestHeadersFilter() {
-		return new ForwardedRequestHeadersFilter();
+	@Conditional(TrustedProxies.ForwardedTrustedProxiesCondition.class)
+	public ForwardedRequestHeadersFilter forwardedRequestHeadersFilter(GatewayMvcProperties properties) {
+		return new ForwardedRequestHeadersFilter(properties.getTrustedProxies());
 	}
 
 	@Bean
@@ -207,9 +208,10 @@ public WeightCalculatorFilter weightCalculatorFilter() {
 	@ConditionalOnMissingBean
 	@ConditionalOnProperty(prefix = XForwardedRequestHeadersFilterProperties.PREFIX, name = ".enabled",
 			matchIfMissing = true)
-	public XForwardedRequestHeadersFilter xForwardedRequestHeadersFilter(
-			XForwardedRequestHeadersFilterProperties props) {
-		return new XForwardedRequestHeadersFilter(props);
+	@Conditional(TrustedProxies.XForwardedTrustedProxiesCondition.class)
+	public XForwardedRequestHeadersFilter xForwardedRequestHeadersFilter(XForwardedRequestHeadersFilterProperties props,
+			GatewayMvcProperties gatewayMvcProperties) {
+		return new XForwardedRequestHeadersFilter(props, gatewayMvcProperties.getTrustedProxies());
 	}
 
 	@Bean
 
@@ -65,6 +65,12 @@ public class GatewayMvcProperties {
 	 */
 	private int streamingBufferSize = 16384;
 
+	/**
+	 * Regular expression defining proxies that are trusted when they appear in a
+	 * Forwarded of X-Forwarded header.
+	 */
+	private String trustedProxies;
+
 	public List<RouteProperties> getRoutes() {
 		return routes;
 	}
@@ -101,13 +107,22 @@ public void setStreamingBufferSize(int streamingBufferSize) {
 		this.streamingBufferSize = streamingBufferSize;
 	}
 
+	public String getTrustedProxies() {
+		return trustedProxies;
+	}
+
+	public void setTrustedProxies(String trustedProxies) {
+		this.trustedProxies = trustedProxies;
+	}
+
 	@Override
 	public String toString() {
 		return new ToStringCreator(this).append("httpClient", httpClient)
 			.append("routes", routes)
 			.append("routesMap", routesMap)
 			.append("streamingMediaTypes", streamingMediaTypes)
 			.append("streamingBufferSize", streamingBufferSize)
+			.append("trustedProxies", trustedProxies)
 			.toString();
 	}
 
 
@@ -24,7 +24,12 @@
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.cloud.gateway.server.mvc.config.GatewayMvcProperties;
 import org.springframework.core.Ordered;
+import org.springframework.core.log.LogMessage;
 import org.springframework.http.HttpHeaders;
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.LinkedCaseInsensitiveMap;
@@ -34,20 +39,38 @@
 
 public class ForwardedRequestHeadersFilter implements HttpHeadersFilter.RequestHttpHeadersFilter, Ordered {
 
+	private static final Log log = LogFactory.getLog(ForwardedRequestHeadersFilter.class);
+
 	/**
 	 * Forwarded header.
 	 */
 	public static final String FORWARDED_HEADER = "Forwarded";
 
+	private final TrustedProxies trustedProxies;
+
+	@Deprecated
+	public ForwardedRequestHeadersFilter() {
+		trustedProxies = s -> true;
+		log.warn(GatewayMvcProperties.PREFIX
+				+ ".trusted-proxies is not set. Using deprecated Constructor. Untrusted hosts might be added to Forwarded header.");
+	}
+
+	public ForwardedRequestHeadersFilter(String trustedProxiesRegex) {
+		trustedProxies = TrustedProxies.from(trustedProxiesRegex);
+	}
+
 	/* for testing */
 	static List<Forwarded> parse(List<String> values) {
 		ArrayList<Forwarded> forwardeds = new ArrayList<>();
 		if (CollectionUtils.isEmpty(values)) {
 			return forwardeds;
 		}
 		for (String value : values) {
-			Forwarded forwarded = parse(value);
-			forwardeds.add(forwarded);
+			String[] forwardedValues = StringUtils.tokenizeToStringArray(value, ",");
+			for (String forwardedValue : forwardedValues) {
+				Forwarded forwarded = parse(forwardedValue);
+				forwardeds.add(forwarded);
+			}
 		}
 		return forwardeds;
 	}
@@ -89,6 +112,13 @@ public int getOrder() {
 
 	@Override
 	public HttpHeaders apply(HttpHeaders input, ServerRequest request) {
+		if (request.servletRequest().getRemoteAddr() != null
+				&& !trustedProxies.isTrusted(request.servletRequest().getRemoteAddr())) {
+			log.trace(LogMessage.format("Remote address not trusted. pattern %s remote address %s", trustedProxies,
+					request.servletRequest().getRemoteHost()));
+			return input;
+		}
+
 		HttpHeaders original = input;
 		HttpHeaders updated = new HttpHeaders();
 
@@ -102,7 +132,10 @@ public HttpHeaders apply(HttpHeaders input, ServerRequest request) {
 		List<Forwarded> forwardeds = parse(original.get(FORWARDED_HEADER));
 
 		for (Forwarded f : forwardeds) {
-			updated.add(FORWARDED_HEADER, f.toHeaderValue());
+			// only add if "for" value matches trustedProxies
+			if (trustedProxies.isTrusted(f.get("for"))) {
+				updated.add(FORWARDED_HEADER, f.toHeaderValue());
+			}
 		}
 
 		// TODO: add new forwarded
@@ -124,6 +157,10 @@ public HttpHeaders apply(HttpHeaders input, ServerRequest request) {
 					forValue = "[" + forValue + "]";
 				}
 			}
+			if (!trustedProxies.isTrusted(forValue)) {
+				// don't add for value
+				return;
+			}
 			int port = remoteAddress.getPort();
 			if (port >= 0) {
 				forValue = forValue + ":" + port;
 
@@ -0,0 +1,120 @@
+/*
+ * Copyright 2013-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.gateway.server.mvc.filter;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import java.util.NoSuchElementException;
+import java.util.regex.Pattern;
+
+import org.springframework.boot.autoconfigure.condition.AllNestedConditions;
+import org.springframework.boot.autoconfigure.condition.ConditionOutcome;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.condition.SpringBootCondition;
+import org.springframework.cloud.gateway.server.mvc.config.GatewayMvcProperties;
+import org.springframework.context.annotation.ConditionContext;
+import org.springframework.context.annotation.Conditional;
+import org.springframework.core.type.AnnotatedTypeMetadata;
+import org.springframework.lang.NonNull;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+@FunctionalInterface
+public interface TrustedProxies {
+
+	boolean isTrusted(String host);
+
+	static TrustedProxies from(@NonNull String trustedProxies) {
+		Assert.hasText(trustedProxies, "trustedProxies must not be empty");
+		Pattern pattern = Pattern.compile(trustedProxies);
+		return value -> pattern.matcher(value).matches();
+	}
+
+	class ForwardedTrustedProxiesCondition extends AllNestedConditions {
+
+		public ForwardedTrustedProxiesCondition() {
+			super(ConfigurationPhase.REGISTER_BEAN);
+		}
+
+		@ConditionalOnProperty(name = GatewayMvcProperties.PREFIX + ".forwarded-request-headers-filter.enabled",
+				matchIfMissing = true)
+		static class OnPropertyEnabled {
+
+		}
+
+		@ConditionalOnPropertyExists(GatewayMvcProperties.PREFIX + ".trusted-proxies")
+		static class OnTrustedProxiesNotEmpty {
+
+		}
+
+	}
+
+	class XForwardedTrustedProxiesCondition extends AllNestedConditions {
+
+		public XForwardedTrustedProxiesCondition() {
+			super(ConfigurationPhase.REGISTER_BEAN);
+		}
+
+		@ConditionalOnProperty(name = XForwardedRequestHeadersFilterProperties.PREFIX + ".enabled",
+				matchIfMissing = true)
+		static class OnPropertyEnabled {
+
+		}
+
+		@ConditionalOnPropertyExists(GatewayMvcProperties.PREFIX + ".trusted-proxies")
+		static class OnTrustedProxiesNotEmpty {
+
+		}
+
+	}
+
+	class OnPropertyExistsCondition extends SpringBootCondition {
+
+		@Override
+		public ConditionOutcome getMatchOutcome(ConditionContext context, AnnotatedTypeMetadata metadata) {
+			try {
+				String value = metadata.getAnnotations().get(ConditionalOnPropertyExists.class).getString("value");
+				String property = context.getEnvironment().getProperty(value);
+				if (!StringUtils.hasText(property)) {
+					return ConditionOutcome.noMatch(value + " property is not set or is empty.");
+				}
+				return ConditionOutcome.match(value + " property is not empty.");
+			}
+			catch (NoSuchElementException e) {
+				return ConditionOutcome.noMatch("Missing required property 'value' of @ConditionalOnPropertyExists");
+			}
+		}
+
+	}
+
+	@Retention(RetentionPolicy.RUNTIME)
+	@Target({ ElementType.TYPE, ElementType.METHOD })
+	@Documented
+	@Conditional(OnPropertyExistsCondition.class)
+	@interface ConditionalOnPropertyExists {
+
+		/**
+		 * @return the property
+		 */
+		String value();
+
+	}
+
+}