passing attributes from mod_shib via proxy to an application

Cantor, Scott cantor.2 at
Thu May 16 12:58:13 EDT 2019

On 5/16/19, 12:40 PM, "users on behalf of Marcus Schopen" <users-bounces at on behalf of lists at> wrote:

> Is it safer to run the Flask application with mod_wsgi and access the
> attributes of mod_shib as environment variables instead of sending them
> via HTTP header via mod_proxy?

The answer to almost any question that ends in "or use headers and proxy HTTP?" is that the first part of the sentence is safer.

Proxying is about the dumbest "thing done for security" there is, it's literally the opposite in almost every case I have ever seen. If your software is so porous that connecting it to the Internet to serve HTTP is too risky, you need new software. TLS performance is usually about the only rationale I buy for proxying, and that's largely historical and tends to add its own security risks.

-- Scott

More information about the users mailing list