New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP_X_FORWARDED_FOR can be spoofed, proxies append to the list, so u… #11093

merged 1 commit into from Aug 25, 2017


None yet
2 participants

ceeram commented Aug 24, 2017

A proxy will append the client’s real IP address to the HTTP header, so use last ip instead of first ip, which could be manipulated by an attacker

@ceeram ceeram self-assigned this Aug 24, 2017

@markstory markstory added this to the 3.5.1 milestone Aug 24, 2017

@markstory markstory added the http label Aug 24, 2017


Looks good to me.

@markstory markstory merged commit fcb8736 into master Aug 25, 2017

3 of 4 checks passed

continuous-integration/travis-ci/push The Travis CI build failed
continuous-integration/appveyor/pr AppVeyor build succeeded
continuous-integration/travis-ci/pr The Travis CI build passed
stickler-ci No lint errors found.

@markstory markstory deleted the client-ip-spoofing branch Aug 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment