R
Railway9mo ago
macwilko

X-Forwarded-For proxies

I'm just learning a bit about X-Forwarded-For, I'de like to know if it's possible for this header to be spoofed, or indeed incorrect IP address of the user. Are there any mitigations, checks I can do to ensure I'm correctly identifying the user based on their IP.
12 Replies
Percy
Percy9mo ago
Project ID: N/A
macwilko
macwilko9mo ago
https://security.stackexchange.com/questions/254199/how-to-prevent-spoofing-of-x-forwarded-for-header
Information Security Stack Exchange
How to prevent spoofing of X-Forwarded-For header?
X-Forwarded-For header can capture the IP of the client and use this IP to implement access control. However, the X-Forwarded-For header can be easily spoofed or manipulated. How to prevent this or...
macwilko
macwilko9mo ago
d1c85c02-8ca5-43c3-adc6-4a24cb066e33 Also... can I potentially use this to Geo-locate users based on the proxy?
ThallesComH
ThallesComH9mo ago
usually you can't much to mitigate x-forwarded-for if you don't have access to the proxy. the proxy that blocks the headers. and railway seems to do that, but only for the header X-Envoy-External-Address
ThallesComH
ThallesComH9mo ago
the x-forwarded-for seems to append the ip sent by the client
No description
macwilko
macwilko9mo ago
@ThallesComH you legend i'll read about Envoy external address
ThallesComH
ThallesComH9mo ago
good, watch out that Cloudflare also have their x-forwarded-for version https://developers.cloudflare.com/fundamentals/reference/http-request-headers
Cloudflare HTTP request headers · Cloudflare Fundamentals docs
Cloudflare passes all HTTP request headers to your origin web server and adds additional headers as specified below.
ThallesComH
ThallesComH9mo ago
and x-forwarded-for behaves the same as the Railway's one
macwilko
macwilko9mo ago
gotcha! is Railway using this? https://www.envoyproxy.io
Brody
Brody9mo ago
yes they are
macwilko
macwilko9mo ago
Looking forward to when Brody does: 
brody_text.replace(/they/i, “we”)
brody_text.replace(/they/i, “we”)
Brody
Brody9mo ago
you're funny
Want results from more Discord servers?
Add your server
More Posts
Annual paymentI want to know how I can make a final payment for the year, I do not want a monthly subscription.New redis docker??did they change their redis docker for creating a redis db? i have a redis service from a couple daynot prefixed with / or ./ or ../I'm deploying nexths 13 app and getting this error: `error: Relative import path "@/types/collectionpg_dump version different from railway postgres versionI'm on macOS trying to backup my database with: ``` railway service railway shell pg_dump $DATABASE_IP address range to allowlist?Stripe is requiring me, non-negotiably, to restrict my API key to a list of IP addresses, or a CIDR Cannot reach Postgres via internal network in same projectWe're migrating our Postgres from the plugin system to the new template based one, ran into an issueChange invoicing detailsWe are trying to test out Railway. To claim the account we have paid the $5 initial subscription feeDeploy Next JSHello all, please, I'm trying to deploy a next app and it keeps failing with `ERROR: failed to solveSee Previous project usage or export usageI want keep track of project usage each month is there any way i can export the usage for a month orCache mount ID is not prefixed with cache keyI'm trying to build a docker image with the recommended instructions from pnpm (https://pnpm.io/dock