Header entries php-auth-user and php-auth-pw were generated out of thin air

[kai-alpha]

First, thanks for running a wonderful service. This is what I just noticed:

$ curl -u foo:bar http://webhook.site/55ac8d86-7966-4014-acd5-296cdb59a488

https://webhook.site/#/55ac8d86-7966-4014-acd5-296cdb59a488/ea8a260f-7534-43bf-9142-e1c940ecb827/1

php-auth-user foo
php-auth-pw bar

I have no experience with PHP myself but I'm guessing they are related to $_SERVER['PHP_AUTH_USER']

[fredsted]

Thanks, that certainly seems to be the case. PHP's handling of headers is... idiosyncratic... to say the least. I'll try removing them when the Authorization header is set.

[fredsted]

I've decided to leave this as is. There's no way to check if these headers are set on purpose or if they're from PHP.

[Krystofee]

Maybe you could just somehow differentiate them from other headers. Because we've experienced a problem in our team (which don't have strong php knowledge) that our devs take these headers as granted in the actual request and not as a feature of php (lol...).

Just a note about these pair of headers that says "These headers can be computed from Authorization header" would be much appreciated.

[fredsted]

@Krystofee Makes sense. I'll see if it can be avoided, perhaps at the web server/haproxy layer.