Fastify's connection header abuse enables stripping of proxy-added headers
@fastify/reply-from and @fastify/http-proxy process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers (like access control or identification headers) from upstream requests by listing them in the Connection header value. This affects applications using these plugins with custom header injection for routing, access control, or security purposes.