Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


How to use IpSpoofAttackError #13914

homakov opened this Issue · 8 comments

3 participants


When I reflect

render text: request.remote_ip

it returns for following code:

x=new XMLHttpRequest;'get','/ip');

So I am not sure why we need raise IpSpoofAttackError, how exactly it's supposed to protect me? Probably I must use .ip instead of remote_ip if I don't have a proxy server?


If we have a proxy server appending real IP to X-Forwarded-For, IpSpoofAttackError is not helpful.

If we don't have it, IpSpoofAttackError is not helpful too, becuase we can simply set our own X-Forwarded-For w/o Client-Ip.

Can someone please explain how is it helping?


Solution: Use PHP ;)


joernchen: this doesn't work.

Since it doesn't work can someone remove that IP spoofing error? It only scares, doesn't mitigate.


#2490 (comment)

This don't work ? @env["REMOTE_ADDR"]


@pwnsdx no, and I don't see how it can help in any situation. It's still easy to set X-F-For


I don't think IpSpoofAttackError protects against anything. From the code:

rails will raise the exception when encounters a request having both the Client-Ip and X-Forwarded-For headers set. Something that is more likely caused by an ill-behaving proxy.

Not that any protection is possible whilst headers can be set from JavaScript.


Exactly. Why we need it then? Remote_ip has no benefits, lets use .ip instead.

@homakov homakov closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.