fix(proxy): Correct hop-by-hop header handling per RFC 9110

[sugar-cat7]

The code references RFC 2616, which has been obsoleted by RFC 7230 (2014) and then RFC 9110 (2022).

Fixed hop-by-hop headers list

• Changed 'trailers' to 'trailer' in hopByHopHeaders array
  • RFC 2616 originally listed "Trailers" but this was an error, corrected in RFC 2616 Errata ID 4522 (Status: Verified)
  • Subsequent RFCs (7230, 9110) use Trailer (singular)
• Added missing 'upgrade' header
  • Required per RFC 9110 Section 7.6.1

Verified Connection header parsing

• RFC 9110 Section 7.6.1:

  Intermediaries MUST parse a received Connection header field before a message is forwarded and, for each connection-option in this field, remove any header or trailer field(s) from the message with the same name as the connection-option

• Add tests

• Run tests

• bun run format:fix && bun run lint:fix to format the code

• Add TSDoc/JSDoc to document the code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.33%. Comparing base (4b796cf) to head (ea37348).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4459      +/-   ##
==========================================
+ Coverage   91.32%   91.33%   +0.01%     
==========================================
  Files         173      173              
  Lines       11084    11107      +23     
  Branches     3201     3209       +8     
==========================================
+ Hits        10122    10145      +23     
  Misses        961      961              
  Partials        1        1              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[usualoma]

Verified Connection header parsing

Thank you for pointing that out! I wasn't aware of that specification.

However, if headers like the following can be specified in the connection value and deleted, it seems this could lead to issues classified as "Hop-by-Hop Header Injection".

• X-Forwarded-For
• X-Real-IP

While it's desirable to have functionality that respects the "Connection" header, I feel it should only be enabled explicitly as an option.

[sugar-cat7]

Verified Connection header parsing

Thank you for pointing that out! I wasn't aware of that specification.

However, if headers like the following can be specified in the connection value and deleted, it seems this could lead to issues classified as "Hop-by-Hop Header Injection".

• X-Forwarded-For
• X-Real-IP

While it's desirable to have functionality that respects the "Connection" header, I feel it should only be enabled explicitly as an option.

Thank you for pointing this out! You're absolutely right about the Hop-by-Hop Header Injection risk.

I've added a strictConnectionProcessing option (default: false):

• Default behavior: Ignores the Connection header entirely to prevent injection attacks
• Strict mode (true): Processes Connection header per RFC 9110 (use only in trusted environments)

[usualoma]

Hi @sugar-cat7, thanks for your help.
I believe strictConnectionProcessing should be fine!

Sorry, just one more thing when you have time.

When strictConnectionProcessing is enabled, the following request results in an "Internal Server Error". Since this option is mainly used in trusted environments, we generally don't need to worry about invalid values. However, configuration errors could still cause problems. In those cases, I think we should either return a 400 error or just ignore it.

$ curl -H 'connection: a a' http://localhost:3000/internal-proxy/x

[sugar-cat7]

Hi @sugar-cat7, thanks for your help. I believe strictConnectionProcessing should be fine!

Sorry, just one more thing when you have time.

When strictConnectionProcessing is enabled, the following request results in an "Internal Server Error". Since this option is mainly used in trusted environments, we generally don't need to worry about invalid values. However, configuration errors could still cause problems. In those cases, I think we should either return a 400 error or just ignore it.

$ curl -H 'connection: a a' http://localhost:3000/internal-proxy/x

@usualoma
Thank you for pointing this out!

• Added header (token) validation based on RFC 9110 Section 5.6.2, returning 400 on validation failure.

[usualoma]

I've left a comment, so please check it!

[usualoma]

Sorry for not explaining earlier, but I want to throw an HTTPException.

hono/src/validator/validator.ts

Line 81 in 4b796cf

throw new HTTPException(400, { message })

[sugar-cat7]

Changed to throw an error.

hono/src/helper/proxy/index.ts

Line 70 in ea37348

throw new HTTPException(400, {

[usualoma]

The variable name “result” seems to be a temporary variable used to hold the function's "result," so I believe it should be renamed.

[sugar-cat7]

Reverted to initial implementation and consolidated logic into buildRequestInitFromRequest since errors are now thrown.
ea37348

[usualoma]

Thank you. I think it’s a great improvement!

[yusukebe]

LGTM!

[yusukebe]

@sugar-cat7 @usualoma

Thanks! Merging and releasing a new version (it's a minor bump!).