Last updated: April 29, 2026
Application code routinely trusts HTTP headers. X-Forwarded-For for client IP. Host for routing. Origin for CORS. Each is attacker-controllable in some path.
If your code does if (request.headers["X-Admin-Override"] == "true"), you’ve created a backdoor. If your code trusts X-Forwarded-For without validating the immediate peer, you’ve created an IP-spoofing primitive.
The mindset: each header your code reads is a trust assumption. Document where it’s set, who can set it, and whether each contributor is trustworthy.
Module Quiz · 3 questions
Pass with 80%+ to mark this module complete. Unlimited retries. Each question shows an explanation.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.