Skip to content

fix: make reverse proxy strip origin/referer hdr#102

Merged
supermario merged 3 commits into
lamdera:lamdera-nextfrom
cekrem:lamdera-next
Jun 19, 2026
Merged

fix: make reverse proxy strip origin/referer hdr#102
supermario merged 3 commits into
lamdera:lamdera-nextfrom
cekrem:lamdera-next

Conversation

@cekrem

@cekrem cekrem commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Quick Summary: Strip Origin and Referer headers in the reverse proxy so that requests from lamdera live's in-browser fake backend don't appear to originate from a browser, avoiding CORS rejections and other server-side browser-detection issues.

SSCCE

-- N/A — this is a tooling fix in the reverse proxy, not an Elm code issue.
  • Elm: N/A (tooling fix)
  • Browser: N/A
  • Operating System: N/A

Additional Details

The lamdera live dev workflow runs a fake backend in the browser. Requests routed through the reverse proxy (port 8001) carried browser headers like Origin and Referer, causing some servers to reject them or respond differently than they would to a real backend request. (Concrete example: Azure Entra with Authorization Code flow)

Fix: added a filter step in modReq (before the existing header transforms) to drop Origin and Referer. The User-Agent was already being replaced with "node", so this completes the picture of making proxied requests look like they come from a non-browser client.

Bumped patch version to 1.4.2.

@miniBill

Copy link
Copy Markdown
Member

The header change seems sensible, but please don't touch the version number. We'll do that as part of the release process

@cekrem

cekrem commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

The header change seems sensible, but please don't touch the version number. We'll do that as part of the release process

Very sorry, didn't mean to overstep. I'll revert that one.

@supermario

Copy link
Copy Markdown
Member

Given that node allows you to set an Origin header as desired and Lamdera backends should have the same capability I’d prefer this was refined to only strip off the value is localhost:$PORT where $PORT is the currently running Lamdera live process port binding.

This both removes the browser set origin which isn’t expected while still allowing other intentional Origin headers.

@cekrem

cekrem commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

Fair point! I'll make it so ☺️

@cekrem

cekrem commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

will this suffice? I also stopped removing the referer, it won't make a difference in terms of CORS issues anyway

@supermario supermario merged commit a7d5429 into lamdera:lamdera-next Jun 19, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants