Permalink
Browse files

Explain the possible precautions

  • Loading branch information...
1 parent c79fb2a commit cc5a4bb4df2390cb57d5a295a4f4a51572012268 @indirect indirect committed Jan 2, 2013
Showing with 4 additions and 3 deletions.
  1. +4 −3 actionpack/lib/action_dispatch/middleware/remote_ip.rb
@@ -17,9 +17,10 @@ module ActionDispatch
# IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING.
# This middleware assumes that there is at least one proxy sitting around
# and setting headers with the client's remote IP address. If you don't use
- # a proxy, because you are hosted on e.g. Heroku, any client can claim to
- # have any IP address by setting the X-Forwarded-For header. If you care
- # about that, please take precautions.
+ # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
+ # claim to have any IP address by setting the X-Forwarded-For header. If you
+ # care about that, then you need to explicitly drop or ignore those headers
+ # sometime before this middleware runs.
class RemoteIp
class IpSpoofAttackError < StandardError; end

0 comments on commit cc5a4bb

Please sign in to comment.