fixup! fix(@angular/ssr): support all X-Forwarded-* headers when trustProxyHeaders is true

alan-agius4 · alan-agius4 · commit 6b1ccc545003 · 2026-05-13T08:02:16.000Z
diff --git a/packages/angular/ssr/src/utils/validation.ts b/packages/angular/ssr/src/utils/validation.ts
@@ -9,7 +9,7 @@
 /**
  * Internal sentinel string representing a wildcard rule to trust all proxy headers.
  */
-const TRUST_ALL_PROXY_HEADERS = 'ɵ*';
+const TRUST_ALL_PROXY_HEADERS = '*';
 
 /**
  * The set of headers that should be validated for host header injection attacks.
@@ -251,5 +251,12 @@ export function normalizeTrustProxyHeaders(
     return new Set([TRUST_ALL_PROXY_HEADERS]);
   }
 
-  return new Set(trustProxyHeaders.map((h) => h.toLowerCase()));
+  const normalizedTrustedProxyHeaders = new Set(trustProxyHeaders.map((h) => h.toLowerCase()));
+  if (normalizedTrustedProxyHeaders.has(TRUST_ALL_PROXY_HEADERS)) {
+    throw new Error(
+      `"${TRUST_ALL_PROXY_HEADERS}" is not allowed as a value for the "trustProxyHeaders" option.`,
+    );
+  }
+
+  return normalizedTrustedProxyHeaders;
 }
diff --git a/packages/angular/ssr/test/utils/validation_spec.ts b/packages/angular/ssr/test/utils/validation_spec.ts
@@ -38,6 +38,35 @@ describe('Validation Utils', () => {
     });
   });
 
+  describe('normalizeTrustProxyHeaders', () => {
+    it('should return an empty set when input is undefined', () => {
+      expect(normalizeTrustProxyHeaders(undefined)).toEqual(new Set());
+    });
+
+    it('should return an empty set when input is false', () => {
+      expect(normalizeTrustProxyHeaders(false)).toEqual(new Set());
+    });
+
+    it('should return a set containing "*" when input is true', () => {
+      expect(normalizeTrustProxyHeaders(true)).toEqual(new Set(['*']));
+    });
+
+    it('should return a set of lowercased header names when input is an array of strings', () => {
+      expect(normalizeTrustProxyHeaders(['X-Forwarded-Host', 'X-Forwarded-Proto'])).toEqual(
+        new Set(['x-forwarded-host', 'x-forwarded-proto']),
+      );
+    });
+
+    it('should throw an error if input array contains "*"', () => {
+      expect(() => normalizeTrustProxyHeaders(['*'])).toThrowError(
+        '"*" is not allowed as a value for the "trustProxyHeaders" option.',
+      );
+      expect(() => normalizeTrustProxyHeaders(['X-Forwarded-Host', '*'])).toThrowError(
+        '"*" is not allowed as a value for the "trustProxyHeaders" option.',
+      );
+    });
+  });
+
   describe('validateUrl', () => {
     const allowedHosts = new Set(['example.com', '*.google.com']);
 
