Is your feature request related to a problem? Please describe.
After a few tests, it looks like NPM automatically forwards X-Forwarded-For headers to the backend if already present. I'm unsure how safe it is to blindly pass this kind of information on. Some software does require knowing who originally sent the request, but I can't see a straightforward way to distinguish between spoofed headers and real ones. I would assume that best practice is for the front-facing proxy to drop headers of this kind (or maybe even the entire request since it probably is nefarious).
Describe the solution you'd like
A clear toggle to disable this behaviour seems adequate.
Describe alternatives you've considered
It can probably be configured within the advanced settings section.
Additional context
None.
Is your feature request related to a problem? Please describe.
After a few tests, it looks like NPM automatically forwards
X-Forwarded-Forheaders to the backend if already present. I'm unsure how safe it is to blindly pass this kind of information on. Some software does require knowing who originally sent the request, but I can't see a straightforward way to distinguish between spoofed headers and real ones. I would assume that best practice is for the front-facing proxy to drop headers of this kind (or maybe even the entire request since it probably is nefarious).Describe the solution you'd like
A clear toggle to disable this behaviour seems adequate.
Describe alternatives you've considered
It can probably be configured within the advanced settings section.
Additional context
None.