Reverse Proxy Review Checklist: Finding Hidden Trust Paths Before They Turn Into Risk
A practical tutorial for reviewing reverse proxy deployments so hidden trust assumptions, header handling mistakes, and logging gaps do not become security blind spots.

Key takeaways
- Map exactly where the reverse proxy sits in the trust chain and verify which systems can reach backends directly.
- Treat forwarded headers as security-relevant input and validate how client IP, scheme, host, and authentication context are set and trusted.
- Review routing, TLS termination, health checks, and error handling together because small proxy decisions often change backend security assumptions.
- Test observability during failure conditions so logs, alerts, and request tracing still explain what happened when the proxy is under stress.
Reverse proxies deserve periodic security reviews
Reverse proxies are often introduced for good reasons: TLS termination, load balancing, path routing, caching, authentication handoff, or simplifying application exposure. Over time, though, they can become one of the least-questioned parts of a stack.
That is where risk grows.
A reverse proxy sits in the middle of several security-sensitive decisions:
- who can reach an application
- what the backend believes about the client
- whether traffic is encrypted end to end
- which hostnames and paths are allowed
- what gets logged and what disappears
- how errors, retries, and failover behave under stress
If those decisions are not reviewed deliberately, the proxy can become a quiet blind spot rather than a protective layer.
This tutorial walks through a practical review process focused on defensive validation, not just configuration hygiene.
Start by drawing the real request path
Before checking settings, map the request flow as it exists today.
A simple diagram should answer:
- Where does client traffic enter?
- Which reverse proxy or load balancer handles it first?
- Is there more than one proxy hop?
- Where is TLS terminated, re-encrypted, or downgraded?
- Which backend services can be reached directly?
- Which systems add or trust forwarded headers?
- Where are access logs and error logs generated?
This matters because many review failures begin with an incomplete mental model. A team may think the public request path is:
Internet -> reverse proxy -> app
But the real path may be closer to:
Internet -> CDN -> WAF -> reverse proxy -> ingress -> service mesh -> app
Each layer may rewrite headers, change client IP visibility, alter timeouts, normalize paths, or inject its own trust assumptions.
Identify what the backend trusts implicitly
The most important review question is often this:
What does the backend assume the proxy already did?
Common assumptions include:
- the proxy already enforced HTTPS
- the proxy already verified the hostname
- the proxy already normalized the path
- the proxy already filtered malicious headers
- the proxy already authenticated the user
- the proxy already limited request size or rate
- the proxy already blocked direct internet exposure
These assumptions are not automatically wrong. They are dangerous when they are undocumented or only partially true.
A useful exercise is to list every backend-facing trust dependency in plain language. For example:
- Application trusts
X-Forwarded-Proto=httpsto decide whether cookies should be secure. - Application trusts
X-Forwarded-Forfor rate limiting and geo-based rules. - Internal admin routes are allowed because the proxy blocks them externally.
- Backend HTTP is considered acceptable because traffic stays inside a private network.
Once written down, each assumption can be tested.
Review direct access to backends first
A reverse proxy cannot be treated as a control boundary if backends are still reachable in ways that bypass it.
Check whether backend services are accessible:
- from the public internet
- from other internal segments that should not reach them
- from VPN users who were never meant to bypass the edge
- from container networks or orchestration nodes broadly
- from jump hosts used for administration
If direct access exists, ask what security controls are lost when the proxy is bypassed.
Examples:
- TLS is terminated at the proxy, but backend HTTP is exposed internally without compensating controls.
- Authentication is enforced at the proxy, but the backend accepts requests directly.
- IP allowlists exist on the proxy, but not on the application listener.
- Request size limits and rate limits exist only on the edge.
A strong review outcome is either:
- backends are not reachable except through intended proxy paths, or
- direct access is explicitly allowed and protected with equivalent controls
Audit forwarded headers as security input
Forwarded headers are one of the most common places where reverse proxy trust goes wrong.
They look operational, but they often influence security decisions.
Headers to inspect closely
At minimum, review handling for:
X-Forwarded-ForForwardedX-Real-IPX-Forwarded-ProtoX-Forwarded-HostX-Forwarded-Port- identity headers such as
X-Forwarded-User,X-Authenticated-User, or SSO-related headers
For each header, answer:
- Who sets it?
- Is an incoming client-supplied value overwritten, appended, or preserved?
- Which layer is the source of truth?
- Which application logic trusts it?
- What happens if multiple proxies add conflicting values?
Common header review mistakes
Trusting client-supplied IP data
If a public-facing proxy accepts an incoming X-Forwarded-For value from the client and passes it through without resetting trust, the backend may record or enforce policy on attacker-controlled IP data.
This can affect:
- rate limiting
- fraud controls
- geo restrictions
- audit logs
- abuse detection
Trusting X-Forwarded-Proto too broadly
Applications often use this header to decide whether to generate secure redirects, set secure cookies, or mark requests as HTTPS.
If a request can reach the app with a spoofed value, the application may behave as if transport guarantees already exist when they do not.
Using host headers without validation
Some applications build links, redirects, or tenant context from forwarded host information. If the proxy does not restrict valid hostnames, host header issues can spill into password reset links, callback URLs, tenant routing, or cache behavior.
What good looks like
A defensible setup usually has these properties:
- only trusted proxy hops may set forwarding headers
- untrusted client copies are removed or replaced
- applications know exactly which proxy networks are trusted
- logs record both immediate peer and derived client IP where relevant
- there is a single documented rule for canonical scheme and host handling
Check route and path handling for unintended exposure
Reverse proxies do more than pass traffic. They decide which paths, hosts, and methods reach which backends.
That makes routing logic part of your attack surface.
Review:
- hostname-based routing
- path prefixes and rewrites
- regex-based matches
- default backends
- wildcard virtual hosts
- method-specific handling
- WebSocket or HTTP/2 upgrade paths
- admin or internal endpoints that may still be routable
Questions worth asking
- Does a fallback vhost expose a default application unexpectedly?
- Can path normalization differences let a blocked route through?
- Are encoded slashes, duplicate slashes, or dot segments handled consistently?
- Do API and admin routes rely on proxy path rules that are broader than intended?
- Does the proxy strip or preserve path prefixes exactly as the backend expects?
A common issue is a backend believing /internal is unreachable externally because the main route table excludes it, while a wildcard rule, alternate hostname, or rewrite path still permits access.
Review TLS termination and re-encryption, not just certificates
Teams often verify that TLS exists at the edge and stop there. A meaningful review checks what happens after termination too.
Map:
- where TLS terminates
- whether traffic is re-encrypted to the backend
- whether backend certificates are validated
- whether hostname verification is enabled for upstream TLS
- whether old protocol versions or weak ciphers remain enabled on either side
Important review points
Backend TLS validation
If the proxy connects upstream over HTTPS but does not validate the backend certificate properly, the setup may provide less protection than expected.
Mixed assumptions around HTTP and HTTPS
If the backend receives plain HTTP from the proxy, verify that:
- the network path is appropriately restricted
- the backend never confuses internal HTTP with client HTTP
- security-sensitive application logic does not depend on ambiguous scheme handling
Redirect loops and downgrade confusion
Misaligned HTTP-to-HTTPS behavior between application and proxy can create redirect loops, lost security headers, or accidental exposure of non-secure endpoints.
Review authentication and identity propagation carefully
Many reverse proxies now participate directly in authentication.
Examples include:
- OIDC or SSO at the proxy layer
- client certificate validation at the edge
- basic auth in front of internal tools
- identity headers passed to upstream applications
These designs can be secure, but only if the trust boundary is explicit.
Check:
- how the proxy signals authenticated identity to the backend
- whether those identity headers are stripped from untrusted requests first
- whether the backend can also be reached without the proxy-enforced auth step
- whether logout, session expiration, and token refresh states are handled consistently
- whether error paths or alternate routes skip identity checks
One useful test is to send requests directly to the backend, if permitted in a lab or approved review environment, and confirm that identity-bearing headers alone are not enough to gain access.
Inspect error handling, timeouts, and fail-open behavior
Reverse proxies are often judged by success paths. Security reviews should examine failure paths.
Ask:
- What happens when the identity provider is unreachable?
- What happens when the backend is slow?
- What happens when header buffers overflow?
- What happens when a route is misconfigured or missing?
- What happens during certificate validation errors upstream?
- What happens when rate-limit backends or auth helpers are unavailable?
Look specifically for fail-open behavior such as:
- bypassing auth when a helper service fails
- serving a default backend that reveals sensitive information
- dropping logs during overload without alerting
- retrying non-idempotent requests in ways the application did not expect
Operational settings like timeouts and retries are not just reliability concerns. They can change request semantics and investigation quality.
Verify logging and traceability before an incident forces the issue
A reverse proxy review is incomplete without checking observability.
The goal is not “more logs” by default. The goal is enough accurate context to answer what happened.
Review whether logs capture:
- timestamp with consistent timezone and precision
- source IP and trusted client IP derivation
- hostname and path requested
- upstream target selected
- response status and bytes sent
- request ID or trace ID
- TLS details if useful for investigations
- auth outcome where appropriate
- proxy errors and upstream timeout indicators
Logging pitfalls that create blind spots
Losing the real client identity
If each layer logs a different IP field without documenting trust rules, incident responders may not know which address is authoritative.
Missing correlation between proxy and backend
A backend error without a shared request ID can be hard to match to the exact front-end request that triggered it.
Logging only success paths
If rejects, rewrites, and upstream failures are poorly logged, the most important evidence may vanish during active abuse.
Logging sensitive headers unsafely
Be careful not to overcorrect by dumping authorization tokens, session identifiers, or personal data into logs.
Test what your logs show during deliberate failure cases
Try controlled scenarios such as:
- invalid host header
- oversized request
- blocked path
- backend timeout
- upstream TLS validation error
- auth helper unavailable
Then confirm that the resulting logs are understandable and actionable.
Validate rate limiting and request normalization assumptions
Reverse proxies often enforce edge protections such as:
- request size limits
n- header count or size limits - body buffering rules
- connection limits
- rate limiting
- bot or abuse filters
Review whether these protections align with the backend’s expectations.
For example:
- Is rate limiting keyed on a trusted client IP or an attacker-controlled header?
- Do request normalization differences let equivalent paths bypass edge rules?
- Can chunked encoding, compression, or upgrade behavior reach the app differently than expected?
- Are different hostnames or CDNs applying different thresholds to the same backend?
Even if the proxy is not a full security gateway, it still shapes what the application sees. That shaping needs review.
Compare deployed behavior to documentation and templates
One of the most practical review steps is a three-way comparison:
- documented design
- version-controlled configuration templates
- actual running behavior
Blind spots often come from drift.
Examples:
- a temporary bypass route remained in production
- a backend listener was exposed for troubleshooting and never closed
- a proxy template strips headers, but a hand-edited node preserves them
- logging fields differ across environments, hurting incident response
If possible, sample from production-like environments rather than relying only on intended configuration state.
A compact review checklist you can reuse
Use this checklist during periodic reviews:
Trust boundary
- Map every proxy hop.
- Identify where TLS terminates and restarts.
- Confirm which systems are allowed to set forwarded headers.
- Verify whether backends are reachable without the proxy.
Header handling
- Reset or sanitize untrusted forwarding headers.
- Document canonical client IP handling.
- Validate scheme and host forwarding rules.
- Strip identity headers from untrusted requests.
Routing and exposure
- Review wildcard hosts, fallback routes, and default backends.
- Test path rewrites and normalization edge cases.
- Confirm internal or admin endpoints are not accidentally routable.
- Check upgrade paths such as WebSockets separately.
TLS and upstream security
- Validate backend certificates where HTTPS is used upstream.
- Confirm hostname verification behavior.
- Review protocol versions and cipher policy on both sides.
- Ensure application logic interprets secure transport correctly.
Authentication and identity
- Verify how auth is enforced and propagated.
- Test backend behavior without the proxy path.
- Confirm failure of auth dependencies does not fail open.
- Review session and logout consistency.
Logging and incident readiness
- Ensure request IDs are shared across layers.
- Capture enough context for path, host, source, and upstream target.
- Test logs during blocked, failed, and degraded scenarios.
- Avoid unsafe logging of secrets or sensitive tokens.
Build review habits, not one-time audits
A reverse proxy becomes a blind spot gradually.
Not because the technology is weak, but because teams stop revisiting the assumptions around it. New routes appear. More proxies get added. Authentication shifts outward. Logs change. Temporary exceptions stay in place.
The best defense is a lightweight, repeatable review habit:
- review after architecture changes
- review after major application routing changes
- review when new identity headers or auth layers are introduced
- review when observability pipelines are modified
- review during incident postmortems involving access confusion or missing context
Final thought
A reverse proxy is not just plumbing. It is a policy enforcement point, a trust translator, and often a source of truth for what the application believes about the client.
That is exactly why it deserves focused review.
If you can clearly explain who sets security-relevant headers, who trusts them, how backends are protected from bypass, and what your logs reveal during failure, you are far less likely to let the proxy become a hidden liability.
Frequently asked questions
Why does a reverse proxy become a blind spot so easily?
Because it often changes identity, routing, TLS, and authentication context at the same time. Teams may secure the application and the edge separately while missing the trust assumptions introduced between them.
Which headers deserve the closest review?
Start with X-Forwarded-For, Forwarded, X-Forwarded-Proto, X-Forwarded-Host, X-Real-IP, and any headers used for authentication or user identity. Review which device sets them, which systems trust them, and whether clients can inject or preserve them.
Is direct backend access always a problem?
Not always, but it must be intentional. If a backend assumes the proxy already handled TLS, authentication, IP filtering, or rate limiting, then unplanned direct access can bypass those controls and create a serious gap.




