IP ratelimit: X-Forwarded-For can be spoofed

Question

IP ratelimit: X-Forwarded-For can be spoofed

Closed this issue 6 months ago · 0 comments

Reported by @DevKingSaul

Solution, from MDN:

Trusted proxy count: The count of reverse proxies between the internet and the server is configured. The X-Forwarded-For IP list is searched from the rightmost by that count minus one. (For example, if there is only one reverse proxy, that proxy will add the client's IP address, so the rightmost address should be used. If there are three reverse proxies, the last two IP addresses will be internal.)