cancel
Showing results for 
Search instead for 
Did you mean: 

"Try It Out" leaks a secure Passenger header in its request

SOLVED
Highlighted
New Contributor

"Try It Out" leaks a secure Passenger header in its request

We have been having a strange issue when executing requests to our production API through SwaggerHub, where requests generate a 400 response with the message: "A secure header was provided, but no security password was provided".

 

After some Googling I discovered that this is an error from Passenger, which we are using to serve our Rails app through Apache. After some more testing, switching out our API endpoint with a service that echoes HTTP headers, I noticed that SwaggerHub is sending a header "!~Passenger-Client-Address". I guess this is some kind of protected header that SwaggerHub's Passenger uses internally, and because it is present in an incoming external request, our Passenger errors out.

 

Could this header be stripped out?

 

Here is the full set of headers returned from the echo service I used:

  "headers": {
    "!~Passenger-Client-Address": "10.101.10.191",
    "Accept": "application/json",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "en-GB,en;q=0.5",
    "Connection": "close",
    "Host": "httpbin.org",
    "Referer": "<my swaggerhub location>",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
  }

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
New Contributor

Re: "Try It Out" leaks a secure Passenger header in its request

Hello,

 

Yes, a colleague reported the issue via Twitter and it was fixed soon after.

 

Cheers.

View solution in original post

2 REPLIES 2
Highlighted
Moderator

Re: "Try It Out" leaks a secure Passenger header in its request

Hi Finn,

 

Thank you for your post. We released a new version of SwaggerHub which should include a fix for this issue. Can you please check whether you still experience the issue?



Did my reply answer your question? Give Kudos or Accept it as a Solution to help others. ⬇️⬇️⬇️
Highlighted
New Contributor

Re: "Try It Out" leaks a secure Passenger header in its request

Hello,

 

Yes, a colleague reported the issue via Twitter and it was fixed soon after.

 

Cheers.

View solution in original post

New Here?
Join us and watch the welcome video:
Announcements