@tsaarni Hi,

However many popular proxies like NGINX and Envoy do not seem to support Forwarded - they do support X-Forwarded-*. As a result, application that enabled both will be subject to header forging (untrusted client setting Forwarded), unless user of the application realizes this and explicitly re-configures the proxy to overwrite Forwarded

Why then enable both if it is a concern in such cases ?

I have an example use case, where the end-user of a Quarkus-based application started to see the application suddenly act on Forwarded after upgrade, since the application had enabled both settings at the same time. It can be argued that application could/should have provided at least opt-out - as an alternative to requiring end-user to make changes in proxy. On the other hand, if the priority of X-Forwarded was first, it would match with what the popular proxies do by default.

While X-Forwarded-For is widely used, it is not a standard.
Conversely, Forwarded is defined in the RFC 7239 (https://tools.ietf.org/html/rfc7239) from 2014. It's kind of sad to still have usages of X-Forwarded-For as Forwarded was defined almost 10 years ago. It is also richer than the bare X-Forwarded-For.

So, I think the current behavior of Quarkus is correct. We prefer a standardized mechanism.

We could imagine an option to switch back the precedence, but it would need to be explicitly set.

I don't think an option to switch precedence would really help here. The problem is that people who don't know/don't care about these headers suddenly have an open attack surface if an attacker sends the headers with higher precedence. I am wondering if it would be better to to just not process requests if both headers are present and the values are not consistent...

I am wondering if it would be better to to just not process requests if both headers are present and the values are not consistent...

Oh, that's right! That would be clever solution to the problem.

I totally agree with @sschu idea.