Permalink
Browse files

Merge pull request #8706 from steveklabnik/ip_precautions

Explain the possible IP precautions
  • Loading branch information...
2 parents c79fb2a + cc5a4bb commit c9d8481bebe55d8073256391e4f828cb2c8c3849 @rafaelfranca rafaelfranca committed Jan 2, 2013
Showing with 4 additions and 3 deletions.
  1. +4 −3 actionpack/lib/action_dispatch/middleware/remote_ip.rb
@@ -17,9 +17,10 @@ module ActionDispatch
# IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING.
# This middleware assumes that there is at least one proxy sitting around
# and setting headers with the client's remote IP address. If you don't use
- # a proxy, because you are hosted on e.g. Heroku, any client can claim to
- # have any IP address by setting the X-Forwarded-For header. If you care
- # about that, please take precautions.
+ # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
+ # claim to have any IP address by setting the X-Forwarded-For header. If you
+ # care about that, then you need to explicitly drop or ignore those headers
+ # sometime before this middleware runs.
class RemoteIp
class IpSpoofAttackError < StandardError; end

0 comments on commit c9d8481

Please sign in to comment.