`Astro.request.url` no longer reflects validated `X-Forwarded-Proto`/`X-Forwarded-Host` since @astrojs/node 10.1 — diverges from `Astro.url` behind TLS-terminating proxies

[beckerei]

Im upfront: The description and reproduction were created with (the help of) claude. The bug is real within our application.

---

Astro Info

Astro                    v6.4.2
Node                     v22.x
System                   Linux (Docker, behind TLS-terminating edge proxy)
Package Manager          pnpm
Output                   server
Adapter                  @astrojs/node 10.1.2 (mode: 'middleware')
Integrations             @astrojs/react


`security.allowedDomains` is configured (so forwarded-header validation is opted into):


// astro.config.mjs
export default defineConfig({
  output: 'server',
  security: {
    allowedDomains: [{ protocol: 'https', hostname: '**.example.com' }],
  },
  adapter: node({ mode: 'middleware' }),
});

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

Since @astrojs/node 10.1 (we upgraded 10.0.5 → 10.1.2 together with astro 6.1 → 6.4), the URL of the Request object exposed to middleware and pages (context.request.url / Astro.request.url) no longer honors X-Forwarded-Proto / X-Forwarded-Host, even when the forwarded host is validated against security.allowedDomains.

Behind a TLS-terminating proxy (edge does HTTPS, internal hop to the Node server is plain HTTP), request.url now always reports http:// and the internal Host, while Astro.url / context.url correctly report the forwarded origin. The two now permanently disagree:

// middleware behind a proxy sending X-Forwarded-Proto: https
export const onRequest = defineMiddleware(({ url, request }, next) => {
  console.log(url.href);         // https://app.example.com/page   ✅ forwarded headers applied
  console.log(request.url);      // http://app.example.com/page    ❌ socket-derived only
  return next();
});

In 10.0.5 both reported https://app.example.com/page.

Root cause

The adapter previously built the Request via createRequest from astro/app/node, which resolves X-Forwarded-Proto/Host/Port (validated against allowedDomains via validateForwardedHeaders) into the Request URL itself.

#16811 (commit e0e26db, "Resolve X-Forwarded-* headers inside FetchState") moved forwarded-header resolution into FetchState's constructor and, in the same change, switched the adapter's request construction in packages/integrations/node/src/serve-app.ts:

-import { createRequest, writeResponse, getAbortControllerCleanup } from 'astro/app/node';
+import { createRequestFromNodeRequest, writeResponse, getAbortControllerCleanup } from 'astro/app/node';
...
-			request = createRequest(req, {
+			request = createRequestFromNodeRequest(req, {

createRequestFromNodeRequest derives the protocol exclusively from req.socket.encrypted and the host from the Host header (packages/astro/src/core/app/node.ts). The allowedDomains option it receives is only used to decide whether to trust x-forwarded-for for clientAddress — never for URL construction.

The new resolution site, FetchState#applyForwardedHeaders() (packages/astro/src/core/fetch/fetch-state.ts), updates only this.url and this.clientAddress. It does not reconstruct this.request, so the Request keeps the socket-derived URL for its entire lifetime:

// fetch-state.js — updates this.url only; this.request is untouched
#applyForwardedHeaders() {
  ...
  if (validated.protocol) this.url.protocol = validated.protocol + ':';
  if (validated.host) { this.url.hostname = ...; }
  ...
}

So #16811 fixed Astro.url for the FetchState path but silently dropped the forwarded origin from Astro.request.url, which createRequest had been providing.

Impact

Any server code that derives absolute URLs from Astro.request.url (or new URL(request.url)) breaks behind a proxy:

• auth/session libraries that take the Request object and read its URL (callback URLs, redirect targets),
• code generating absolute links — in our case a navigation service whose server-rendered link hrefs flipped from https:// to http://, breaking client-side URL matching,
• anything comparing request.url against context.url (they now differ in origin).

The regression is invisible in local dev (no proxy) and only manifests in proxied deployments.

What's the expected result?

When the forwarded host validates against security.allowedDomains (the explicit opt-in), Astro.request.url should reflect the forwarded origin — matching both Astro.url and the 10.0.5 behavior of createRequest.

Possible fixes:

1. Have the node adapter resolve validated forwarded headers when constructing the Request again — e.g. make createRequestFromNodeRequest apply validateForwardedHeaders to the URL (it already receives allowedDomains), or switch serve-app.ts back to createRequest.
2. Alternatively, have FetchState#applyForwardedHeaders() reconstruct this.request with the resolved URL so request.url and this.url can't disagree.

Either way the validation gate on security.allowedDomains is preserved, so this doesn't reopen the host-header-injection surface that the recent hardening addressed — without allowedDomains configured, forwarded headers would remain untrusted exactly as today.

Link to Minimal Reproducible Example

https://github.com/beckerei/astro-forwarded-url-repro

Participation

• I am willing to submit a pull request for this issue.

[astrobot-houston]

• Reproduced: Yes
• Exploration: Yes — View branch
• Unit Test: Yes — packages/astro/test/units/fetch/index.test.ts (two new tests in the "FetchState X-Forwarded-* header resolution" describe block)
• Priority: P3: minor bug. This regression affects SSR apps deployed behind TLS-terminating proxies that have opted into security.allowedDomains. While auth/session libraries and URL generation can break, it requires a specific deployment topology (reverse proxy + allowedDomains config) and Astro.url still works correctly as a workaround.

This is a regression introduced by #16811 (commit e0e26dbf). That PR moved X-Forwarded-* header resolution from Request construction (createRequest) into FetchState#applyForwardedHeaders(). The new method correctly updates this.url (exposed as Astro.url), but since Request.url is a readonly string per the Web API spec, this.request.url (exposed as Astro.request.url) was left with the original socket-derived http:// URL. The two now permanently disagree behind a proxy.

I found a potential fix for this issue. The fix reconstructs this.request with the forwarded URL at the end of #applyForwardedHeaders() via new Request(this.url, oldRequest), keeping all headers/method/body intact while updating the URL. Symbol-keyed properties (like appSymbol) are also carried over to the new Request. Only one file was changed: packages/astro/src/core/fetch/fetch-state.ts.

Try this fix

You can test this fix right now without waiting for a release:

npm i https://pkg.pr.new/astro@015f5fb

If this fixes your issue, please leave a comment letting us know (e.g. "confirmed, this fixes it"). We'll then open a pull request to get this merged.

Full Triage Report

Triage Report: Issue #16945

Issue Title

Astro.request.url no longer reflects validated X-Forwarded-Proto/X-Forwarded-Host since @astrojs/node 10.1 — diverges from Astro.url behind TLS-terminating proxies

Issue URL

#16945

Issue Author

@beckerei

Root Cause

Introduced by PR #16811 (commit e0e26dbfe9, "Resolve X-Forwarded-* headers inside FetchState"). The PR moved forwarded-header resolution from createRequest (which baked validated forwarded headers into the Request URL) into FetchState#applyForwardedHeaders(). The new method updates this.url (a mutable URL object) but not this.request (whose .url is a readonly string). Since Request.url cannot be modified in place, this.request retains the socket-derived http:// URL for its entire lifetime.

Reproduction

Confirmed by building an SSR project with @astrojs/node (standalone), configuring security.allowedDomains, and sending a request with X-Forwarded-Proto: https / X-Forwarded-Host: app.example.com:

context.url  (Astro.url):          https://app.example.com/url.json  ✅
request.url  (Astro.request.url):  http://app.example.com/url.json   ❌

Without forwarded headers, both agree (baseline confirmed).

Fix

Two changes in packages/astro/src/core/fetch/fetch-state.ts:

1. #applyForwardedHeaders(): After updating this.url, reconstructs this.request via new Request(this.url, oldRequest) and carries over symbol-keyed properties from the old request.

2. Constructor: Changed originPathnameSymbol operations to use this.request instead of the local request parameter, since #applyForwardedHeaders() may have replaced it.

Diff

diff --git a/packages/astro/src/core/fetch/fetch-state.ts b/packages/astro/src/core/fetch/fetch-state.ts
index 3b531477e8..d6f13683bd 100644
--- a/packages/astro/src/core/fetch/fetch-state.ts
+++ b/packages/astro/src/core/fetch/fetch-state.ts
@@ -278,10 +278,12 @@ export class FetchState implements AstroFetchState {
 			this.#applyForwardedHeaders();
 		}
 
-		// Set origin pathname for rewrite tracking.
-		if (!Reflect.get(request, originPathnameSymbol)) {
+		// Set origin pathname for rewrite tracking. Use this.request
+		// (not the local parameter) because #applyForwardedHeaders()
+		// may have reconstructed it with a forwarded URL.
+		if (!Reflect.get(this.request, originPathnameSymbol)) {
 			setOriginPathname(
-				request,
+				this.request,
 				this.pathname,
 				pipeline.manifest.trailingSlash,
 				pipeline.manifest.buildFormat,
@@ -914,6 +916,17 @@ export class FetchState implements AstroFetchState {
 				this.clientAddress = forwardedFor;
 			}
 		}
+
+		// Reconstruct the Request with the resolved URL so that
+		// request.url stays in sync with this.url. Request.url is a
+		// readonly string, so we must create a new Request object.
+		const oldRequest = this.request;
+		this.request = new Request(this.url, oldRequest);
+		// Carry over any symbol-keyed properties (e.g. appSymbol,
+		// clientAddressSymbol) that were attached to the old request.
+		for (const sym of Object.getOwnPropertySymbols(oldRequest)) {
+			Reflect.set(this.request, sym, Reflect.get(oldRequest, sym));
+		}
 	}

Test Results

• 47/47 unit tests pass in test/units/fetch/index.test.ts (including 2 new regression tests)
• 2848/2848 unit tests pass across all packages/astro/test/units/
• 175/175 tests pass in packages/integrations/node/test/
• No regressions detected

This report was made by an LLM. The analysis may be wrong, and the potential fix might not work, but is intended as a starting point for exploring the issue.