lmao

server-rs/src/routes/pb_proxy.rs

@@ -23,9 +23,16 @@ pub async fn proxy_to_pocketbase(state: Arc<AppState>, req: Request) -> impl Int
     let method = req.method().clone();
     let mut builder = state.http_client.request(method, &url);
 
-    // Forward headers except host
+    // Forward only safe headers (allowlist)
+    const ALLOWED_HEADERS: &[&str] = &[
+        "content-type",
+        "accept",
+        "authorization",
+        "cookie",
+        "accept-language",
+    ];
     for (name, value) in req.headers() {
-        if name != "host" {
+        if ALLOWED_HEADERS.contains(&name.as_str()) {
             builder = builder.header(name.clone(), value.clone());
         }
     }