[PR #4] [MERGED] fix(proxy): remove internal ID headers from proxy responses #6

New issue

Closed

opened 2026-03-02 05:12:30 +03:00 by kerem · 0 comments

kerem commented 2026-03-02 05:12:30 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/gotempsh/temps/pull/4
Author: @dviejokfs
Created: 2/16/2026
Status: ✅ Merged
Merged: 2/16/2026
Merged by: @dviejokfs

Base: main ← Head: feat/remove-internal-id-response-headers

---

📝 Commits (1)

• 6768f6d fix(proxy): remove internal ID headers from proxy responses

📊 Changes

2 files changed (+19 additions, -11 deletions)

View changed files

📝 README.md (+19 -1)
📝 crates/temps-proxy/src/proxy.rs (+0 -10)

📄 Description

Summary

• Remove X-Project-ID, X-Environment-ID, and X-Deployment-ID headers from proxy responses — these leaked sequential internal integer IDs to end users, enabling enumeration and exposing potential IDOR attack surface
• Preserve X-Request-ID for request tracing — operators can correlate with server-side logs for full routing context
• Update README to add transactional email + DKIM and MCP server features to the feature matrix

Security

The removed headers exposed internal database IDs (sequential integers) on every proxied response. This allowed external observers to:

• Enumerate how many projects/environments/deployments exist
• Track growth rate over time
• Potentially use IDs for IDOR attacks against any endpoint that accepts these IDs

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/gotempsh/temps/pull/4 **Author:** [@dviejokfs](https://github.com/dviejokfs) **Created:** 2/16/2026 **Status:** ✅ Merged **Merged:** 2/16/2026 **Merged by:** [@dviejokfs](https://github.com/dviejokfs) **Base:** `main` ← **Head:** `feat/remove-internal-id-response-headers` --- ### 📝 Commits (1) - [`6768f6d`](https://github.com/gotempsh/temps/commit/6768f6dcbb81e3b800783b891943b5322ffbae14) fix(proxy): remove internal ID headers from proxy responses ### 📊 Changes **2 files changed** (+19 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+19 -1) 📝 `crates/temps-proxy/src/proxy.rs` (+0 -10) </details> ### 📄 Description ## Summary - **Remove `X-Project-ID`, `X-Environment-ID`, and `X-Deployment-ID`** headers from proxy responses — these leaked sequential internal integer IDs to end users, enabling enumeration and exposing potential IDOR attack surface - **Preserve `X-Request-ID`** for request tracing — operators can correlate with server-side logs for full routing context - **Update README** to add transactional email + DKIM and MCP server features to the feature matrix ## Security The removed headers exposed internal database IDs (sequential integers) on every proxied response. This allowed external observers to: - Enumerate how many projects/environments/deployments exist - Track growth rate over time - Potentially use IDs for IDOR attacks against any endpoint that accepts these IDs --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-03-02 05:12:30 +03:00

• closed this issue
• added the
  pull-request
  label

kerem referenced this issue 2026-03-02 05:12:31 +03:00

[PR #6] [MERGED] fix(cli): move logs under deployments subcommand and fix log rendering #11

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

feat/autopilot

fix/dependabot-vulnerabilities

v0.1.0-beta.2

v0.1.0-beta.1

v0.0.8

v0.0.7-beta1

v0.0.6

v0.0.6-beta11

v0.0.6-beta10

v0.0.6-beta9

v0.0.6-beta8

v0.0.6-beta7

v0.0.6-beta6

v0.0.6-beta5

v0.0.6-beta4

v0.0.6-beta3

v0.0.6-beta.2

v0.0.6-beta.1

v0.0.5

v0.0.4

v0.0.3

v0.0.2-beta9

v0.0.2-beta8

v0.0.2-beta7

v0.0.2-beta6

v0.0.2-beta5

v0.0.2-beta4

v0.0.2-beta3

v0.0.2-beta2

v0.0.2-beta1

v0.0.1

v0.0.1-beta28

v0.0.1-beta27

v0.0.1-beta26

v0.0.1-beta25

v0.0.1-beta24

v0.0.1-beta23

v0.0.1-beta22

v0.0.1-beta21

v0.0.1-beta20

v0.0.1-beta19

v0.0.1-beta18

v0.0.1-beta17

v0.0.1-beta16

v0.0.1-beta15

v0.0.1-beta14

v0.0.1-beta13

v0.0.1-beta12

v0.0.1-beta11

v0.0.1-beta10

v0.0.1-beta9

v0.0.1-beta8

v0.0.1-beta7

v0.0.1-beta6

v0.0.1-beta5

test-v0.0.1-beta2

v0.0.1-beta4

v0.0.1-beta3

test-v0.0.1-beta1

v0.0.1-beta2

v0.0.1-beta1

v0.1.0-test

Labels

Clear labels   

bug

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/temps#6

No description provided.