Do not trust the 'x-forwarded-for' HTTP header

Question

Do not trust the 'x-forwarded-for' HTTP header

Closed this issue 2 years ago · 1 comments

One of the examples provided obtains the client's remote IP address from the 'X-Forwarded-For' HTTP header.

let clientIp = function(req, res) {
    return req.headers['x-forwarded-for'] ? (req.headers['x-forwarded-for']).split(',')[0] : ""
  }

In general, this is not recommended because this HTTP header can be spoofed; examples:

$ curl server:3000 **-H 'X-Forwarded-for: ANYTHING'**
$ curl server:3000 **-H 'X-Forwarded-for: 127.0.0.1'**

We recommended removing the example, or mentioning this attack scenario to avoid the potential vulnerability caused by this behavior.

Thank you!.

Answer 1 · 2022-08-03T12:03:12.000Z

There are different server environment or load balancers that do use the x-forwarded-for header so 🤷‍♂️
Users are also free to write their own IP detection, this is just a general suggestion in the README to show the functionality.