-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix typo #18
Fix typo #18
Conversation
Nginx reverse proxies will completely bypass verification with this change. I'll create an issue instead.
5b9b35b was a security fix. A browser could provide a header like: X-Forwarded-For: 127.0.0.1 which would allow it to bypass the alexa verification process. This change ensures that X-Forwarded-For is only observed if it's sent from a local server (such as a proxy). Otherwise, the real IP is used. |
Ah yes - well, that is because bodyParser.urlencoded doesn't necessary work for all the user server modules. In my project, for example ( https://gyazo.com/bc5b88a444b8ff334b78a5771b3d80c0 ) there are many express routes added which don't use urlencoded forms, so blanket-applying bodyParser.urlencoded to every request causes problems. |
Oh I see, that makes a lot of sense! I opened #35 and will close this. If you have time, would love some tests and a pull request for that issue. |
"er" is undefined - my bad!