The perils of the real client IP (2022)
9 months ago
- #http-headers
- #security
- #networking
- Use the rightmost IP in the X-Forwarded-For (XFF) header for security-related purposes to avoid spoofing.
- Avoid using the leftmost IP in the XFF header as it is trivially spoofable and unreliable for security.
- Ensure to use the last instance of the XFF header when choosing the rightmost IP.
- Special headers like X-Real-IP or True-Client-IP can be useful but depend on correct reverse proxy configuration.
- Never trust headers not set by your own reverse proxy to prevent spoofing vulnerabilities.
- Many rate limiter implementations are vulnerable to spoofing, leading to bypass and memory exhaustion attacks.
- Always verify how the 'real client IP' is derived in your code and infrastructure.
- Headers like X-Forwarded-For are untrustworthy unless controlled by your infrastructure.
- Multiple XFF headers can complicate IP extraction; merge them carefully.
- Private IPs in XFF headers should be ignored as they are not useful for identifying clients.
- RFC 7239's Forwarded header is a more official but less adopted alternative to XFF with similar security issues.
- Network architecture changes can introduce vulnerabilities if IP derivation logic isn't updated.
- Overwriting XFF headers at the first proxy can simplify trust but may encourage bad practices.
- Consider using custom single-IP headers set by your first proxy for more reliable client IP identification.