passing attributes from mod_shib via proxy to an application

[Cantor, Scott]

On 5/16/19, 12:40 PM, "users on behalf of Marcus Schopen" <users-bounces at shibboleth.net on behalf of lists at localguru.de> wrote:

> Is it safer to run the Flask application with mod_wsgi and access the
> attributes of mod_shib as environment variables instead of sending them
> via HTTP header via mod_proxy?

The answer to almost any question that ends in "or use headers and proxy HTTP?" is that the first part of the sentence is safer.

Proxying is about the dumbest "thing done for security" there is, it's literally the opposite in almost every case I have ever seen. If your software is so porous that connecting it to the Internet to serve HTTP is too risky, you need new software. TLS performance is usually about the only rationale I buy for proxying, and that's largely historical and tends to add its own security risks.

-- Scott