#21128: Security/Voice Call: require trusted proxy IPs for forwarded-header trust
channel: voice-call
size: M
Cluster:
Security Enhancements and Fixes
## Summary
- require trusted proxy IPs whenever voice-call webhook forwarding-header trust paths are enabled (`allowedHosts` or `trustForwardingHeaders`)
- tighten webhook URL reconstruction so forwarded headers are only trusted from explicitly configured trusted proxy IPs
- add config validation + regression tests covering reject/allow/fallback behavior
## Testing
- `pnpm test extensions/voice-call/src/config.test.ts`
- `pnpm test extensions/voice-call/src/webhook-security.test.ts`
*(in this environment these commands cannot run because `pnpm` is not installed on PATH)*
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Tightened webhook security by requiring explicit `trustedProxyIPs` configuration whenever forwarded-header trust is enabled through `allowedHosts` or `trustForwardingHeaders`. The critical security fix changes line 197 in `webhook-security.ts` from `!hasTrustedProxyIPs ||` to `hasTrustedProxyIPs &&`, preventing forwarded headers from being trusted by default when no proxy IPs are configured.
**Key changes:**
- Config validation enforces `trustedProxyIPs` must be non-empty when using `allowedHosts` or `trustForwardingHeaders`
- Webhook URL reconstruction now requires both forwarding-trust enablement AND request from trusted proxy IP
- Test coverage validates the reject/allow/fallback behavior
- CHANGELOG entry documents the security fix
**Minor gap:** Test coverage could include an explicit case for requests from untrusted proxy IPs (IP present but not in trusted list).
<h3>Confidence Score: 4/5</h3>
- Safe to merge with minimal risk - addresses a legitimate security concern with proper validation
- The change correctly fixes a security issue where forwarded headers could be trusted without verifying the request source. The logic change is simple and correct (changing OR to AND), config validation prevents misconfiguration, and tests cover the main scenarios. Score is 4 (not 5) due to minor test coverage gap for the untrusted-proxy-IP scenario.
- No files require special attention
<sub>Last reviewed commit: cb024eb</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#21288: Security/Voice: reject malformed Host headers in webhook+WS server
by bmendonca3 · 2026-02-19
80.3%
#21101: Security/Voice Call: gate skipSignatureVerification to local-dev or...
by bmendonca3 · 2026-02-19
77.3%
#21197: Security/Voice Call: enforce exact webhook path matching
by bmendonca3 · 2026-02-19
76.7%
#21532: Security/Voice Call: block signed webhook replay
by bmendonca3 · 2026-02-20
75.7%
#6128: Fail closed when Telnyx webhook public key is missing (voice-call p...
by yueyueL · 2026-02-01
75.6%
#23355: Gateway: fail closed on untrusted proxy headers
by bmendonca3 · 2026-02-22
75.3%
#7704: fix(voice-call): add authentication to WebSocket media stream endpoint
by coygeek · 2026-02-03
74.9%
#7654: feat(security): zero-trust localhost auth with DNS rebinding protec...
by joncode · 2026-02-03
73.0%
#21050: security(voice-call): path-based stream token for Twilio WebSocket ...
by richvincent · 2026-02-19
72.9%
#23425: Gateway: require trusted-proxy allowlist unless allowAll is explicit
by bmendonca3 · 2026-02-22
72.4%