"Try It Out" leaks a secure Passenger header in its request
We have been having a strange issue when executing requests to our production API through SwaggerHub, where requests generate a 400 response with the message: "A secure header was provided, but no security password was provided".
After some Googling I discovered that this is an error from Passenger, which we are using to serve our Rails app through Apache. After some more testing, switching out our API endpoint with a service that echoes HTTP headers, I noticed that SwaggerHub is sending a header "!~Passenger-Client-Address". I guess this is some kind of protected header that SwaggerHub's Passenger uses internally, and because it is present in an incoming external request, our Passenger errors out.
Could this header be stripped out?
Here is the full set of headers returned from the echo service I used:
"headers": {
"!~Passenger-Client-Address": "10.101.10.191",
"Accept": "application/json",
"Accept-Encoding": "gzip, deflate, br",
"Accept-Language": "en-GB,en;q=0.5",
"Connection": "close",
"Host": "httpbin.org",
"Referer": "<my swaggerhub location>",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
}
Hello,
Yes, a colleague reported the issue via Twitter and it was fixed soon after.
Cheers.
