Forum Discussion

fbacall's avatar
fbacall
New Contributor
7 years ago

"Try It Out" leaks a secure Passenger header in its request

We have been having a strange issue when executing requests to our production API through SwaggerHub, where requests generate a 400 response with the message: "A secure header was provided, but no security password was provided".

 

After some Googling I discovered that this is an error from Passenger, which we are using to serve our Rails app through Apache. After some more testing, switching out our API endpoint with a service that echoes HTTP headers, I noticed that SwaggerHub is sending a header "!~Passenger-Client-Address". I guess this is some kind of protected header that SwaggerHub's Passenger uses internally, and because it is present in an incoming external request, our Passenger errors out.

 

Could this header be stripped out?

 

Here is the full set of headers returned from the echo service I used:

  "headers": {
    "!~Passenger-Client-Address": "10.101.10.191",
    "Accept": "application/json",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "en-GB,en;q=0.5",
    "Connection": "close",
    "Host": "httpbin.org",
    "Referer": "<my swaggerhub location>",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
  }

 

  • fbacall's avatar
    fbacall
    7 years ago

    Hello,

     

    Yes, a colleague reported the issue via Twitter and it was fixed soon after.

     

    Cheers.

  • Nastya_Khovrina's avatar
    Nastya_Khovrina
    SmartBear Alumni (Retired)

    Hi Finn,

     

    Thank you for your post. We released a new version of SwaggerHub which should include a fix for this issue. Can you please check whether you still experience the issue?

    • fbacall's avatar
      fbacall
      New Contributor

      Hello,

       

      Yes, a colleague reported the issue via Twitter and it was fixed soon after.

       

      Cheers.