This repository has been archived by the owner on Apr 7, 2022. It is now read-only.
remotePeer can be spoofed #319
Labels
bug
Something isn't working
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Blindly trusting the Forwarded header allows anyone to spoof the origin IP. Common ways to address this security problem is to only trust Forwarded headers from trusted sources.
Examples of how to mitigate this problem:
https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy
http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
You should, at least, remove the comment stating that this value can be used security measures for now.
The text was updated successfully, but these errors were encountered: