-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Stripping IP addresses
In order to prevent the Brave Ads backend application from having access to the user's IP address, the anonymous confirmation endpoints strips our users' IP address at the CDN layer.
Since these endpoints are hosted on Fastly's infrastructure, we use the
header.filter()
VCL
function
with the following list of headers to remove:
cf-connecting-ip
cf-pseudo-ipv4
cloudfront-viewer-address
fastly-client-ip
fastly-temp-xff
forwarded
forwarded-for
true-client-ip
x-appengine-user-ip
x-client-ip
x-cluster-client-ip
x-forwarded
x-forwarded-for
x-real-ip
Only a few of these headers are potentially exposed by Fastly. We have built an extensive list in order for this configuration to continue to work should this service be moved somewhere else in the future.
In addition, the backend application contains middleware which looks for the presence of these headers and rejects any request which includes them. This fail-safe allows us to easily detect any failure or misconfiguration of the CDN layer.
This is the middleware code which performs this check:
export function rejectIdentifyingHeaderMiddleware(
req: Request,
res: Response,
next: NextFunction,
) {
Object.entries(req.headers).forEach(([key, value]) => {
if (!IP_HEADERS.has(key)) return;
if (_.isEmpty(value)) return;
logger.error("request contained identifying header", { name: key });
throw new ServiceUnavailableException();
});
next();
}
where IP_HEADERS
contains the list of headers shown above.
Proxied images in Brave News use a private CDN which prevents Brave from associating IP addresses with specific image requests. Our proxy configuration can be verified by users.
For p2a.brave.com
, we use a reverse proxy operated by Cloudflare to prevent IP addresses from reaching our backend server.
Web Discovery Project submissions go through a reverse proxy operated by Cloudflare to prevent IP addresses from being potentially associated with browsing data.
Prior to reaching the Search backend, requests go through our custom nginx-based rate-limiter which removes the client IP address.
When proxying external services, such as the ones provided by Google, we run our own nginx-based proxy. Our nginx configuration ensures that the X-Forwarded-For
header is not present.