From f9a94ca7eb046d47f25b9d78ae7e65b2ea31a9d7 Mon Sep 17 00:00:00 2001
From: David Pedersen <david.pdrsn@gmail.com>
Date: Wed, 9 Mar 2022 10:18:12 +0100
Subject: [PATCH] Add security note about `extract::Host` (#839)

---
 axum/src/extract/host.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/axum/src/extract/host.rs b/axum/src/extract/host.rs
index 8e2124fb..de5a43c2 100644
--- a/axum/src/extract/host.rs
+++ b/axum/src/extract/host.rs
@@ -4,7 +4,7 @@ use super::{
 };
 use async_trait::async_trait;
 
-const X_FORWARDED_HOST_HEADER_KEY: &'static str = "X-Forwarded-Host";
+const X_FORWARDED_HOST_HEADER_KEY: &str = "X-Forwarded-Host";
 
 /// Extractor that resolves the hostname of the request.
 ///
@@ -12,6 +12,9 @@ const X_FORWARDED_HOST_HEADER_KEY: &'static str = "X-Forwarded-Host";
 /// - `X-Forwarded-Host` header
 /// - `Host` header
 /// - request target / URI
+///
+/// Note that user agents can set `X-Forwarded-Host` and `Host` headers to arbitrary values so make
+/// sure to validate them to avoid security issues.
 #[derive(Debug, Clone)]
 pub struct Host(pub String);