You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ClientIP() using X-Forwarded-For and X-Real-Ip by default without any kind of warning is appalling security-wise.
It is trivial for an attacker to spoof any IP address if the app is listening directly on a public port without a reverse proxy or if the reverse proxy is not properly configured. For example, if the reverse proxy is configured to use X-Real-Ip, it will seemingly work correctly, but X-Forwarded-For takes precedence so the remote IP address can still be spoofed.
The text was updated successfully, but these errors were encountered:
ClientIP()
usingX-Forwarded-For
andX-Real-Ip
by default without any kind of warning is appalling security-wise.It is trivial for an attacker to spoof any IP address if the app is listening directly on a public port without a reverse proxy or if the reverse proxy is not properly configured. For example, if the reverse proxy is configured to use
X-Real-Ip
, it will seemingly work correctly, butX-Forwarded-For
takes precedence so the remote IP address can still be spoofed.The text was updated successfully, but these errors were encountered: