Please sign in to comment.
Don't trust Client-IP header unless behind a proxy
REMOTE_ADDR is a far safer place to get an client's IP over the header which is easily spoofed. If someone is trusting the proxy we'll prefer x-forwarded-for and fallback to client-ip should that not exist. Remove support for http_clientaddress as I can't find any record of it existing in either the php docs or http specs.
- Loading branch information...
Showing with 9 additions and 18 deletions.