[FooBarWidget]

But Nginx isn't vulnerable. All Nginx does is proxying the HTTP headers. It is the applications that run behind Nginx that may be vulnerable depending on how they set/use environment variables.

Saying Nginx is vulnerable is like saying that the Linux kernel is vulnerable to heartbleed.

[cleeus]

I think the CGI "standard" is to be blamed.

Whoever the f*ck had the briliant idea to alter the environment variables of a server child process through incoming HTTP headers should have his browsers environment variables altered by the servers responses.

[jimjag]

It's as much to blame by not, within the actual code, refusing to clear PROXY... Apache httpd isn't "vulnerable" either but it still created a code patch that ensures things don't sneak thru as WELL as proving a runtime workaround. Plus, even the nginx mailing list example shows that it's a security issue.