ingress-nginx-helm/docs/user-guide/nginx-configuration/annotations-risk.md

# Annotations Scope and Risk

|Group   |Annotation        | Risk | Scope |
|--------|------------------|------|-------|
| Aliases | server-alias | High | ingress |
| Allowlist | allowlist-source-range | Medium | location |
| BackendProtocol | backend-protocol | Low | location |
| BasicDigestAuth | auth-realm | Medium | location |
| BasicDigestAuth | auth-secret | Medium | location |
| BasicDigestAuth | auth-secret-type | Low | location |
| BasicDigestAuth | auth-type | Low | location |
| Canary | canary | Low | ingress |
| Canary | canary-by-cookie | Medium | ingress |
| Canary | canary-by-header | Medium | ingress |
| Canary | canary-by-header-pattern | Medium | ingress |
| Canary | canary-by-header-value | Medium | ingress |
| Canary | canary-weight | Low | ingress |
| Canary | canary-weight-total | Low | ingress |
| CertificateAuth | auth-tls-error-page | High | location |
| CertificateAuth | auth-tls-match-cn | High | location |
| CertificateAuth | auth-tls-pass-certificate-to-upstream | Low | location |
| CertificateAuth | auth-tls-secret | Medium | location |
| CertificateAuth | auth-tls-verify-client | Medium | location |
| CertificateAuth | auth-tls-verify-depth | Low | location |
| ClientBodyBufferSize | client-body-buffer-size | Low | location |
| ConfigurationSnippet | configuration-snippet | Critical | location |
| Connection | connection-proxy-header | Low | location |
| CorsConfig | cors-allow-credentials | Low | ingress |
| CorsConfig | cors-allow-headers | Medium | ingress |
| CorsConfig | cors-allow-methods | Medium | ingress |
| CorsConfig | cors-allow-origin | Medium | ingress |
| CorsConfig | cors-expose-headers | Medium | ingress |
| CorsConfig | cors-max-age | Low | ingress |
| CorsConfig | enable-cors | Low | ingress |
| CustomHTTPErrors | custom-http-errors | Low | location |
| CustomHeaders | custom-headers | Medium | location |
| DefaultBackend | default-backend | Low | location |
| Denylist | denylist-source-range | Medium | location |
| DisableProxyInterceptErrors | disable-proxy-intercept-errors | Low | location |
| EnableGlobalAuth | enable-global-auth | Low | location |
| ExternalAuth | auth-always-set-cookie | Low | location |
| ExternalAuth | auth-cache-duration | Medium | location |
| ExternalAuth | auth-cache-key | Medium | location |
| ExternalAuth | auth-keepalive | Low | location |
| ExternalAuth | auth-keepalive-requests | Low | location |
| ExternalAuth | auth-keepalive-share-vars | Low | location |
| ExternalAuth | auth-keepalive-timeout | Low | location |
| ExternalAuth | auth-method | Low | location |
| ExternalAuth | auth-proxy-set-headers | Medium | location |
| ExternalAuth | auth-request-redirect | Medium | location |
| ExternalAuth | auth-response-headers | Medium | location |
| ExternalAuth | auth-signin | High | location |
| ExternalAuth | auth-signin-redirect-param | Medium | location |
| ExternalAuth | auth-snippet | Critical | location |
| ExternalAuth | auth-url | High | location |
| FastCGI | fastcgi-index | Medium | location |
| FastCGI | fastcgi-params-configmap | Medium | location |
| HTTP2PushPreload | http2-push-preload | Low | location |
| LoadBalancing | load-balance | Low | location |
| Logs | enable-access-log | Low | location |
| Logs | enable-rewrite-log | Low | location |
| Mirror | mirror-host | High | ingress |
| Mirror | mirror-request-body | Low | ingress |
| Mirror | mirror-target | High | ingress |
| ModSecurity | enable-modsecurity | Low | ingress |
| ModSecurity | enable-owasp-core-rules | Low | ingress |
| ModSecurity | modsecurity-snippet | Critical | ingress |
| ModSecurity | modsecurity-transaction-id | High | ingress |
| Opentelemetry | enable-opentelemetry | Low | location |
| Opentelemetry | opentelemetry-operation-name | Medium | location |
| Opentelemetry | opentelemetry-trust-incoming-span | Low | location |
| Proxy | proxy-body-size | Medium | location |
| Proxy | proxy-buffer-size | Low | location |
| Proxy | proxy-buffering | Low | location |
| Proxy | proxy-buffers-number | Low | location |
| Proxy | proxy-connect-timeout | Low | location |
| Proxy | proxy-cookie-domain | Medium | location |
| Proxy | proxy-cookie-path | Medium | location |
| Proxy | proxy-http-version | Low | location |
| Proxy | proxy-max-temp-file-size | Low | location |
| Proxy | proxy-next-upstream | Medium | location |
| Proxy | proxy-next-upstream-timeout | Low | location |
| Proxy | proxy-next-upstream-tries | Low | location |
| Proxy | proxy-read-timeout | Low | location |
| Proxy | proxy-redirect-from | Medium | location |
| Proxy | proxy-redirect-to | Medium | location |
| Proxy | proxy-request-buffering | Low | location |
| Proxy | proxy-send-timeout | Low | location |
| ProxySSL | proxy-ssl-ciphers | Medium | ingress |
| ProxySSL | proxy-ssl-name | High | ingress |
| ProxySSL | proxy-ssl-protocols | Low | ingress |
| ProxySSL | proxy-ssl-secret | Medium | ingress |
| ProxySSL | proxy-ssl-server-name | Low | ingress |
| ProxySSL | proxy-ssl-verify | Low | ingress |
| ProxySSL | proxy-ssl-verify-depth | Low | ingress |
| RateLimit | limit-allowlist | Low | location |
| RateLimit | limit-burst-multiplier | Low | location |
| RateLimit | limit-connections | Low | location |
| RateLimit | limit-rate | Low | location |
| RateLimit | limit-rate-after | Low | location |
| RateLimit | limit-rpm | Low | location |
| RateLimit | limit-rps | Low | location |
| Redirect | from-to-www-redirect | Low | location |
| Redirect | permanent-redirect | Medium | location |
| Redirect | permanent-redirect-code | Low | location |
| Redirect | temporal-redirect | Medium | location |
| Redirect | temporal-redirect-code | Low | location |
| Rewrite | app-root | Medium | location |
| Rewrite | force-ssl-redirect | Medium | location |
| Rewrite | preserve-trailing-slash | Medium | location |
| Rewrite | rewrite-target | Medium | ingress |
| Rewrite | ssl-redirect | Low | location |
| Rewrite | use-regex | Low | location |
| SSLCipher | ssl-ciphers | Low | ingress |
| SSLCipher | ssl-prefer-server-ciphers | Low | ingress |
| SSLPassthrough | ssl-passthrough | Low | ingress |
| Satisfy | satisfy | Low | location |
| ServerSnippet | server-snippet | Critical | ingress |
| ServiceUpstream | service-upstream | Low | ingress |
| SessionAffinity | affinity | Low | ingress |
| SessionAffinity | affinity-canary-behavior | Low | ingress |
| SessionAffinity | affinity-mode | Medium | ingress |
| SessionAffinity | session-cookie-change-on-failure | Low | ingress |
| SessionAffinity | session-cookie-conditional-samesite-none | Low | ingress |
| SessionAffinity | session-cookie-domain | Medium | ingress |
| SessionAffinity | session-cookie-expires | Medium | ingress |
| SessionAffinity | session-cookie-max-age | Medium | ingress |
| SessionAffinity | session-cookie-name | Medium | ingress |
| SessionAffinity | session-cookie-path | Medium | ingress |
| SessionAffinity | session-cookie-samesite | Low | ingress |
| SessionAffinity | session-cookie-secure | Low | ingress |
| StreamSnippet | stream-snippet | Critical | ingress |
| UpstreamHashBy | upstream-hash-by | High | location |
| UpstreamHashBy | upstream-hash-by-subset | Low | location |
| UpstreamHashBy | upstream-hash-by-subset-size | Low | location |
| UpstreamVhost | upstream-vhost | Low | location |
| UsePortInRedirects | use-port-in-redirects | Low | location |
| XForwardedPrefix | x-forwarded-prefix | Medium | location |
Auto-generate annotation docs (#11820) 2024-08-18 23:13:18 +00:00			`# Annotations Scope and Risk`

			`\|Group \|Annotation \| Risk \| Scope \|`
			`\|--------\|------------------\|------\|-------\|`
			`\| Aliases \| server-alias \| High \| ingress \|`
			`\| Allowlist \| allowlist-source-range \| Medium \| location \|`
			`\| BackendProtocol \| backend-protocol \| Low \| location \|`
			`\| BasicDigestAuth \| auth-realm \| Medium \| location \|`
			`\| BasicDigestAuth \| auth-secret \| Medium \| location \|`
			`\| BasicDigestAuth \| auth-secret-type \| Low \| location \|`
			`\| BasicDigestAuth \| auth-type \| Low \| location \|`
			`\| Canary \| canary \| Low \| ingress \|`
			`\| Canary \| canary-by-cookie \| Medium \| ingress \|`
			`\| Canary \| canary-by-header \| Medium \| ingress \|`
			`\| Canary \| canary-by-header-pattern \| Medium \| ingress \|`
			`\| Canary \| canary-by-header-value \| Medium \| ingress \|`
			`\| Canary \| canary-weight \| Low \| ingress \|`
			`\| Canary \| canary-weight-total \| Low \| ingress \|`
			`\| CertificateAuth \| auth-tls-error-page \| High \| location \|`
			`\| CertificateAuth \| auth-tls-match-cn \| High \| location \|`
			`\| CertificateAuth \| auth-tls-pass-certificate-to-upstream \| Low \| location \|`
			`\| CertificateAuth \| auth-tls-secret \| Medium \| location \|`
			`\| CertificateAuth \| auth-tls-verify-client \| Medium \| location \|`
			`\| CertificateAuth \| auth-tls-verify-depth \| Low \| location \|`
			`\| ClientBodyBufferSize \| client-body-buffer-size \| Low \| location \|`
			`\| ConfigurationSnippet \| configuration-snippet \| Critical \| location \|`
			`\| Connection \| connection-proxy-header \| Low \| location \|`
			`\| CorsConfig \| cors-allow-credentials \| Low \| ingress \|`
			`\| CorsConfig \| cors-allow-headers \| Medium \| ingress \|`
			`\| CorsConfig \| cors-allow-methods \| Medium \| ingress \|`
			`\| CorsConfig \| cors-allow-origin \| Medium \| ingress \|`
			`\| CorsConfig \| cors-expose-headers \| Medium \| ingress \|`
			`\| CorsConfig \| cors-max-age \| Low \| ingress \|`
			`\| CorsConfig \| enable-cors \| Low \| ingress \|`
			`\| CustomHTTPErrors \| custom-http-errors \| Low \| location \|`
			`\| CustomHeaders \| custom-headers \| Medium \| location \|`
			`\| DefaultBackend \| default-backend \| Low \| location \|`
			`\| Denylist \| denylist-source-range \| Medium \| location \|`
			`\| DisableProxyInterceptErrors \| disable-proxy-intercept-errors \| Low \| location \|`
			`\| EnableGlobalAuth \| enable-global-auth \| Low \| location \|`
			`\| ExternalAuth \| auth-always-set-cookie \| Low \| location \|`
			`\| ExternalAuth \| auth-cache-duration \| Medium \| location \|`
			`\| ExternalAuth \| auth-cache-key \| Medium \| location \|`
			`\| ExternalAuth \| auth-keepalive \| Low \| location \|`
			`\| ExternalAuth \| auth-keepalive-requests \| Low \| location \|`
			`\| ExternalAuth \| auth-keepalive-share-vars \| Low \| location \|`
			`\| ExternalAuth \| auth-keepalive-timeout \| Low \| location \|`
			`\| ExternalAuth \| auth-method \| Low \| location \|`
			`\| ExternalAuth \| auth-proxy-set-headers \| Medium \| location \|`
			`\| ExternalAuth \| auth-request-redirect \| Medium \| location \|`
			`\| ExternalAuth \| auth-response-headers \| Medium \| location \|`
			`\| ExternalAuth \| auth-signin \| High \| location \|`
			`\| ExternalAuth \| auth-signin-redirect-param \| Medium \| location \|`
			`\| ExternalAuth \| auth-snippet \| Critical \| location \|`
			`\| ExternalAuth \| auth-url \| High \| location \|`
			`\| FastCGI \| fastcgi-index \| Medium \| location \|`
			`\| FastCGI \| fastcgi-params-configmap \| Medium \| location \|`
			`\| HTTP2PushPreload \| http2-push-preload \| Low \| location \|`
			`\| LoadBalancing \| load-balance \| Low \| location \|`
			`\| Logs \| enable-access-log \| Low \| location \|`
			`\| Logs \| enable-rewrite-log \| Low \| location \|`
			`\| Mirror \| mirror-host \| High \| ingress \|`
			`\| Mirror \| mirror-request-body \| Low \| ingress \|`
			`\| Mirror \| mirror-target \| High \| ingress \|`
			`\| ModSecurity \| enable-modsecurity \| Low \| ingress \|`
			`\| ModSecurity \| enable-owasp-core-rules \| Low \| ingress \|`
			`\| ModSecurity \| modsecurity-snippet \| Critical \| ingress \|`
			`\| ModSecurity \| modsecurity-transaction-id \| High \| ingress \|`
			`\| Opentelemetry \| enable-opentelemetry \| Low \| location \|`
			`\| Opentelemetry \| opentelemetry-operation-name \| Medium \| location \|`
			`\| Opentelemetry \| opentelemetry-trust-incoming-span \| Low \| location \|`
			`\| Proxy \| proxy-body-size \| Medium \| location \|`
			`\| Proxy \| proxy-buffer-size \| Low \| location \|`
			`\| Proxy \| proxy-buffering \| Low \| location \|`
			`\| Proxy \| proxy-buffers-number \| Low \| location \|`
			`\| Proxy \| proxy-connect-timeout \| Low \| location \|`
			`\| Proxy \| proxy-cookie-domain \| Medium \| location \|`
			`\| Proxy \| proxy-cookie-path \| Medium \| location \|`
			`\| Proxy \| proxy-http-version \| Low \| location \|`
			`\| Proxy \| proxy-max-temp-file-size \| Low \| location \|`
			`\| Proxy \| proxy-next-upstream \| Medium \| location \|`
			`\| Proxy \| proxy-next-upstream-timeout \| Low \| location \|`
			`\| Proxy \| proxy-next-upstream-tries \| Low \| location \|`
			`\| Proxy \| proxy-read-timeout \| Low \| location \|`
			`\| Proxy \| proxy-redirect-from \| Medium \| location \|`
			`\| Proxy \| proxy-redirect-to \| Medium \| location \|`
			`\| Proxy \| proxy-request-buffering \| Low \| location \|`
			`\| Proxy \| proxy-send-timeout \| Low \| location \|`
			`\| ProxySSL \| proxy-ssl-ciphers \| Medium \| ingress \|`
			`\| ProxySSL \| proxy-ssl-name \| High \| ingress \|`
			`\| ProxySSL \| proxy-ssl-protocols \| Low \| ingress \|`
			`\| ProxySSL \| proxy-ssl-secret \| Medium \| ingress \|`
			`\| ProxySSL \| proxy-ssl-server-name \| Low \| ingress \|`
			`\| ProxySSL \| proxy-ssl-verify \| Low \| ingress \|`
			`\| ProxySSL \| proxy-ssl-verify-depth \| Low \| ingress \|`
			`\| RateLimit \| limit-allowlist \| Low \| location \|`
			`\| RateLimit \| limit-burst-multiplier \| Low \| location \|`
			`\| RateLimit \| limit-connections \| Low \| location \|`
			`\| RateLimit \| limit-rate \| Low \| location \|`
			`\| RateLimit \| limit-rate-after \| Low \| location \|`
			`\| RateLimit \| limit-rpm \| Low \| location \|`
			`\| RateLimit \| limit-rps \| Low \| location \|`
			`\| Redirect \| from-to-www-redirect \| Low \| location \|`
			`\| Redirect \| permanent-redirect \| Medium \| location \|`
			`\| Redirect \| permanent-redirect-code \| Low \| location \|`
			`\| Redirect \| temporal-redirect \| Medium \| location \|`
Add custom code handling for temporal redirect (#10651) Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com> 2024-08-23 20:10:20 +00:00			`\| Redirect \| temporal-redirect-code \| Low \| location \|`
Auto-generate annotation docs (#11820) 2024-08-18 23:13:18 +00:00			`\| Rewrite \| app-root \| Medium \| location \|`
			`\| Rewrite \| force-ssl-redirect \| Medium \| location \|`
			`\| Rewrite \| preserve-trailing-slash \| Medium \| location \|`
			`\| Rewrite \| rewrite-target \| Medium \| ingress \|`
			`\| Rewrite \| ssl-redirect \| Low \| location \|`
			`\| Rewrite \| use-regex \| Low \| location \|`
			`\| SSLCipher \| ssl-ciphers \| Low \| ingress \|`
			`\| SSLCipher \| ssl-prefer-server-ciphers \| Low \| ingress \|`
			`\| SSLPassthrough \| ssl-passthrough \| Low \| ingress \|`
			`\| Satisfy \| satisfy \| Low \| location \|`
			`\| ServerSnippet \| server-snippet \| Critical \| ingress \|`
			`\| ServiceUpstream \| service-upstream \| Low \| ingress \|`
			`\| SessionAffinity \| affinity \| Low \| ingress \|`
			`\| SessionAffinity \| affinity-canary-behavior \| Low \| ingress \|`
			`\| SessionAffinity \| affinity-mode \| Medium \| ingress \|`
			`\| SessionAffinity \| session-cookie-change-on-failure \| Low \| ingress \|`
			`\| SessionAffinity \| session-cookie-conditional-samesite-none \| Low \| ingress \|`
			`\| SessionAffinity \| session-cookie-domain \| Medium \| ingress \|`
			`\| SessionAffinity \| session-cookie-expires \| Medium \| ingress \|`
			`\| SessionAffinity \| session-cookie-max-age \| Medium \| ingress \|`
			`\| SessionAffinity \| session-cookie-name \| Medium \| ingress \|`
			`\| SessionAffinity \| session-cookie-path \| Medium \| ingress \|`
			`\| SessionAffinity \| session-cookie-samesite \| Low \| ingress \|`
			`\| SessionAffinity \| session-cookie-secure \| Low \| ingress \|`
			`\| StreamSnippet \| stream-snippet \| Critical \| ingress \|`
			`\| UpstreamHashBy \| upstream-hash-by \| High \| location \|`
			`\| UpstreamHashBy \| upstream-hash-by-subset \| Low \| location \|`
			`\| UpstreamHashBy \| upstream-hash-by-subset-size \| Low \| location \|`
			`\| UpstreamVhost \| upstream-vhost \| Low \| location \|`
			`\| UsePortInRedirects \| use-port-in-redirects \| Low \| location \|`
			`\| XForwardedPrefix \| x-forwarded-prefix \| Medium \| location \|`