Warn about client IP spoofing

jazzband · Mar 15, 2017 · 2684906 · 2684906
1 parent d653b5d
commit 2684906
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/docs/installation.rst b/docs/installation.rst
@@ -22,8 +22,8 @@ documentation on `installing GeoIP`_.
 .. _installing GeoIP:
    https://docs.djangoproject.com/en/1.6/ref/contrib/gis/geoip/
 
-IP Data Accuracy
-----------------
+IP when behind a proxy
+----------------------
 If you're running Django behind a proxy like nginx, you will have to set 
 the `REMOTE_ADDR` META header manually using a middleware, to stop it from 
 always returning the ip of the proxy (e.g. 127.0.0.1 in many cases).
@@ -33,4 +33,6 @@ Which simply does this for each request:
 
 ``request.META['REMOTE_ADDR'] = request.META['HTTP_X_FORWARDED_FOR'].split(',')[0].strip()``
 
-Your particular configuration may vary, X-Forwarded-For is not always accurate in some cases.
+Your particular configuration may vary, `X-Forwarded-For` must be set by
+a proxy that you have control over, otherwise it might be spoofed by the
+client.