Asger Weirsøe
a429456987
release / release (push) Successful in 23s
The fetch service only stripped the four X-Weircon-* control headers, so any forwarding header injected upstream (X-Forwarded-For, X-Real-IP, Via, CDN client-IP headers, …) passed straight through to the target — leaking the caller's IP and proxy chain. - Replace stripWeircon with stripIdentifying: removes the control headers plus all standard forwarding/origin-IP headers, with a prefix sweep for any vendor-specific X-Forwarded-* variant. - NPM advanced.conf clears the same headers (defense in depth). - Add TestStripIdentifying covering removal + survival of legit headers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>