| ▲ | People are sending HTTP requests with X-Forwarded-For across the Internet(utcc.utoronto.ca) | |||||||
| 4 points by zdw 7 hours ago | 3 comments | ||||||||
| ▲ | Habgdnv 3 hours ago | parent | next [-] | |||||||
I remember back in the 90s that Squid was adding this header while acting as a forward proxy. This header was sent across the internet years before someone have ever dreamed of the concept of a "reverse" proxy. I have not fact-checked but I am pretty sure it is older than IPv6 and the original standard was to add this header at the origin and send it across the whole internet. | ||||||||
| ▲ | Bender 7 hours ago | parent | prev [-] | |||||||
One thing to add, never trust this header. Anyone can set this header contents to anything. If setting a real-ip header inside your data-center, use a custom header and drop it at the ingress so people can not falsify their IP. If logging X-Forwarded-For, log in addition to and not instead of the remote_addr otherwise you will get smart-asses like me being logged as "chuck-norris". | ||||||||
| ||||||||