XFF handling improperly implemented

  • danielfriesen

    (@danielfriesen)


    9 years, 6 months ago

    X-Forwarded-For is a comma separated list, not a single IP; which is not handled by this plugin.

    Additionally the XFF header can be injected by anyone. You need to whitelist the ips of known safe reverse proxies (local reverse proxies you run, services you use like CloudFlare, etc…) and only trust XFF and other IP headers when they come from a trusted source.

    This isn’t currently being handled.

The topic ‘XFF handling improperly implemented’ is closed to new replies.