Forwarded头与X-Forwarded头清洗（可信代理/一致性）最佳实践

背景与价值多层代理下来源头容易被伪造。统一在可信代理链清洗并只向后端传递一致来源信息，可提升安全与审计准确性。统一规范可信代理：仅受控CIDR或网关IP作为可信来源头。清洗策略：移除外部传入的Forwarded/X-Forwarded头，仅保留网关注入。一致性：应用层仅使用清洗后的来源信息。核心实现可信判定与清洗（示意）type Req = { headers: Record<string, string | undefined>; remote_addr: string } const trustedCidrs = ['203.0.113.0/24'] function ipv4ToInt(ip: string): number { const m = ip.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/); if (!m) return -1; const n = m.slice(1).map(Number); for (const x of n) if (x<0||x>255) return -1; return ((n[0]<<24)>>>0)+(n[1]<<16)+(n[2]<<8)+n[3] } function inCidr(ip: string, cidr: string): boolean { const [b,p] = cidr.split('/'); const base = ipv4ToInt(b); const mask = (~0 << (32-Number(p)))>>>0; const v = ipv4ToInt(ip); if (base<0||v<0) return false; return (v & mask) === (base & mask) } function trusted(ip: string): boolean { for (const c of trustedCidrs) if (inCidr(ip, c)) return true; return false } function cleanHeaders(req: Req): Record<string, string> { const h: Record<string, string> = {} if (trusted(req.remote_addr)) { if (req.headers['forwarded']) h['Forwarded'] = req.headers['forwarded']! if (req.headers['x-forwarded-for']) h['X-Forwarded-For'] = req.headers['x-forwarded-for']! if (req.headers['x-forwarded-proto']) h['X-Forwarded-Proto'] = req.headers['x-forwarded-proto']! } return h } 落地建议在网关层清洗来源头，仅由可信代理注入；应用层只使用清洗后的头判定来源。验证清单是否仅信任受控CIDR来源头；应用层使用来源信息是否一致。