From f3cfc4c3c9672451ca9ca877aef5aed6737a4f87 Mon Sep 17 00:00:00 2001
From: Cohee <18619528+Cohee1207@users.noreply.github.com>
Date: Mon, 22 Jul 2024 14:19:20 +0000
Subject: [PATCH] Disalow x-forwarded headers in CORS redirect

---
 server.js | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/server.js b/server.js
index 1f226dc68..766629b37 100644
--- a/server.js
+++ b/server.js
@@ -168,14 +168,14 @@ if (enableCorsProxy) {
 
         try {
             const headers = JSON.parse(JSON.stringify(req.headers));
-            delete headers['x-csrf-token'];
-            delete headers['host'];
-            delete headers['referer'];
-            delete headers['origin'];
-            delete headers['cookie'];
-            delete headers['sec-fetch-mode'];
-            delete headers['sec-fetch-site'];
-            delete headers['sec-fetch-dest'];
+            const headersToRemove = [
+                'x-csrf-token', 'host', 'referer', 'origin', 'cookie',
+                'x-forwarded-for', 'x-forwarded-protocol', 'x-forwarded-proto',
+                'x-forwarded-host', 'x-real-ip', 'sec-fetch-mode',
+                'sec-fetch-site', 'sec-fetch-dest',
+            ];
+
+            headersToRemove.forEach(header => delete headers[header]);
 
             const bodyMethods = ['POST', 'PUT', 'PATCH'];