The Sneaky Slash

How a Double Forward Slash Bypassed My HAProxy Security Rules

Introduction

Yesterday, I discovered a concerning security hole in my HAProxy configuration that made me question how secure my admin area really was. I’m sharing this finding and solution to help others who might have the same vulnerability without realizing it.

The Discovery

I had set up HAProxy to protect my website’s admin panel using a seemingly solid approach: