Skip to content

Security: fix HTTP rate-limit X-Forwarded-For trust behind reverse proxies#89

Closed
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-100c
Closed

Security: fix HTTP rate-limit X-Forwarded-For trust behind reverse proxies#89
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-100c

Conversation

@cursor

@cursor cursor Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Security review (2026-07-17)

One new validated finding was reported and fixed on this branch.

Medium — Spoofed X-Forwarded-For bypasses HTTP rate limits behind trusted reverse proxies

  • Location: src/rate_limit.rs
  • Issue: #88
  • Impact: When HTTP_TRUSTED_PROXIES is set (documented Docker/nginx deployment), the limiter used the leftmost X-Forwarded-For hop. With nginx $proxy_add_x_forwarded_for, that hop is attacker-controlled, so clients could rotate synthetic IPs to bypass per-client buckets and amplify traffic up to the 10,000-entry tracking cap (including fail-closed denial for new legitimate clients).
  • Fix: Prefer X-Real-IP when present; otherwise derive the client IP from the rightmost X-Forwarded-For hop appended by the immediate trusted proxy. Added regression tests and clarified .env.example / config docs.

Closes #88

Open in Web View Automation 

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

When HTTP_TRUSTED_PROXIES is configured, use X-Real-IP or the rightmost
X-Forwarded-For hop instead of the client-controlled leftmost entry. This
closes a rate-limit bypass and DoS amplification path behind nginx-style
reverse proxies that append the connecting address.

Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>

Copy link
Copy Markdown
Contributor

Superseded by #90, which contains this PR's commit plus the clippy filter_next fix that was failing CI here. Closing in favor of #90.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Spoofed X-Forwarded-For bypasses HTTP rate limits behind trusted reverse proxies

2 participants