Information Disclosure via K-Proxy-Request Header

Description

The 'K-Proxy-Request' header is often used by certain reverse proxies or load balancers to signal proxy-related behaviors. If not properly secured or filtered, it can reveal internal proxy mechanisms to unauthorized parties, aiding reconnaissance and potentially exposing sensitive backend routing details. Attackers who discover this header may craft malicious requests that exploit internal trust assumptions or bypass security checks designed for direct traffic only. In some cases, it could be combined with other misconfigurations to escalate privileges, reroute traffic, or intercept communications. Ultimately, failing to address this header’s presence might leave the system vulnerable to proxy abuse or information disclosure attacks.

Remediation

Remove or sanitize the 'K-Proxy-Request' header if it is not essential to your environment. Configure your reverse proxy, load balancer, or application server to block or rewrite this header for external requests. If the header is required internally, ensure it is only used within trusted channels and cannot be spoofed from outside. Deploy a Web Application Firewall (WAF) or network-level firewall rules to detect and drop requests containing unexpected proxy headers. Regularly audit any custom or vendor-specific headers to confirm that they are properly restricted and do not leak sensitive information about your infrastructure.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification