Skip to content

copy_safe_request() sheds unrecognized but safe HTTP headers #21468

New issue
New issue
Open
Bug
Open
copy_safe_request() sheds unrecognized but safe HTTP headers#21468
Bug
Assignees
jeremystretch
Labels
netboxseverity: lowDoes not significantly disrupt application functionality, or a workaround is availablestatus: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application
@jeremystretch

Description

@jeremystretch
jeremystretch
opened on Feb 18, 2026

NetBox Edition

NetBox Community

NetBox Version

v4.5.3

Python Version

3.12

Steps to Reproduce

This was originally raised under netboxlabs/netbox-branching#434 but represents a limitation in NetBox core.

Our copy_safe_request() utility function responsible for creating pickle-safe copies of HTTP requests (e.g. for background jobs) replicates only the META values defined in HTTP_REQUEST_META_SAFE_COPY. Thus, arbitrary headers such as X-NetBox-Branch (used by netbox-branching to indicate the active branch) are discarded.

Expected Behavior

Arbitrary but safe HTTP headers (e.g. X-NetBox-Branch) should be copied to the resulting request. Presumably, we could allow all HTTP headers (META keys beginning with HTTP_) that are 1) strings and 2) not known to convey sensitive data (e.g. Authorization or Cookie).

Alternatively, we could introduce a configuration parameter to whitelist known-safe headers administratively.

Observed Behavior

Only the HTTP headers included in HTTP_REQUEST_META_SAFE_COPY are preserved.

Metadata

Metadata

Assignees

Labels

netboxseverity: lowDoes not significantly disrupt application functionality, or a workaround is availablestatus: acceptedThis issue has been accepted for implementationtype: bugA confirmed report of unexpected behavior in the application

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions