[GH-ISSUE #264] Bug: Rewrite proxy strips cookie/authorization headers, breaking backend auth #69

New issue

Closed

opened 2026-05-06 12:36:58 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:36:58 +02:00

Owner

Originally created by @17hz on GitHub (Mar 5, 2026).
Original GitHub issue: https://github.com/cloudflare/vinext/issues/264

Description

proxyExternalRequest (in config-matchers.ts) and __proxyExternalRequest (inlined in app-dev-server.ts) unconditionally strip cookie, authorization, x-api-key, and proxy-authorization headers from proxied rewrite requests. This breaks authentication for users who use rewrites to proxy to their own backend services.

Root Cause

The proxy functions contain:

headers.delete("cookie");
headers.delete("authorization");
headers.delete("x-api-key");
headers.delete("proxy-authorization");

This was added as a security measure to prevent credential leakage to third-party origins. However, the most common use case for rewrites is proxying to the user's own backend, where these credentials are required.

Reproduction

// next.config.ts
const nextConfig: NextConfig = {
  rewrites: () => [
    {
      source: "/api/:path*",
      destination: `${process.env.BACKEND_URL}/api/:path*`,
    },
  ],
};

Any authenticated request to /api/... will fail because the authorization header and cookies are stripped before reaching the backend.

Expected Behavior

Next.js itself does not strip these headers for rewrite proxies — it forwards all headers as-is to the destination. vinext should match this behavior for compatibility.

Suggested Fix

Remove the blanket credential stripping. If security hardening is desired for third-party origins, consider:

Matching Next.js behavior by default (forward all headers)
Optionally allowing users to configure header stripping per-rewrite rule

Environment

vinext: 0.0.21

Originally created by @17hz on GitHub (Mar 5, 2026). Original GitHub issue: https://github.com/cloudflare/vinext/issues/264 ## Description `proxyExternalRequest` (in `config-matchers.ts`) and `__proxyExternalRequest` (inlined in `app-dev-server.ts`) unconditionally strip `cookie`, `authorization`, `x-api-key`, and `proxy-authorization` headers from proxied rewrite requests. This breaks authentication for users who use `rewrites` to proxy to their own backend services. ## Root Cause The proxy functions contain: ```ts headers.delete("cookie"); headers.delete("authorization"); headers.delete("x-api-key"); headers.delete("proxy-authorization"); ``` This was added as a security measure to prevent credential leakage to third-party origins. However, the most common use case for rewrites is proxying to the user's own backend, where these credentials are required. ## Reproduction ```ts // next.config.ts const nextConfig: NextConfig = { rewrites: () => [ { source: "/api/:path*", destination: `${process.env.BACKEND_URL}/api/:path*`, }, ], }; ``` Any authenticated request to `/api/...` will fail because the `authorization` header and cookies are stripped before reaching the backend. ## Expected Behavior Next.js itself does **not** strip these headers for rewrite proxies — it forwards all headers as-is to the destination. vinext should match this behavior for compatibility. ## Suggested Fix Remove the blanket credential stripping. If security hardening is desired for third-party origins, consider: 1. Matching Next.js behavior by default (forward all headers) 2. Optionally allowing users to configure header stripping per-rewrite rule ## Environment - vinext: 0.0.21