Do not trust the 'x-forwarded-for' HTTP header
Closed this issue · 1 comments
ampliasec commented
One of the examples provided obtains the client's remote IP address from the 'X-Forwarded-For' HTTP header.
let clientIp = function(req, res) {
return req.headers['x-forwarded-for'] ? (req.headers['x-forwarded-for']).split(',')[0] : ""
}
In general, this is not recommended because this HTTP header can be spoofed; examples:
$ curl server:3000 **-H 'X-Forwarded-for: ANYTHING'**
$ curl server:3000 **-H 'X-Forwarded-for: 127.0.0.1'**
We recommended removing the example, or mentioning this attack scenario to avoid the potential vulnerability caused by this behavior.
Thank you!.
jetersen commented
There are different server environment or load balancers that do use the x-forwarded-for
header so 🤷♂️
Users are also free to write their own IP detection, this is just a general suggestion in the README to show the functionality.