R
Railway14mo ago
macwilko

X-Forwarded-For proxies

I'm just learning a bit about X-Forwarded-For, I'de like to know if it's possible for this header to be spoofed, or indeed incorrect IP address of the user. Are there any mitigations, checks I can do to ensure I'm correctly identifying the user based on their IP.
12 Replies
Percy
Percy14mo ago
Project ID: N/A
macwilko
macwilkoOP14mo ago
Information Security Stack Exchange
How to prevent spoofing of X-Forwarded-For header?
X-Forwarded-For header can capture the IP of the client and use this IP to implement access control. However, the X-Forwarded-For header can be easily spoofed or manipulated. How to prevent this or...
macwilko
macwilkoOP14mo ago
d1c85c02-8ca5-43c3-adc6-4a24cb066e33 Also... can I potentially use this to Geo-locate users based on the proxy?
ThallesComH
ThallesComH14mo ago
usually you can't much to mitigate x-forwarded-for if you don't have access to the proxy. the proxy that blocks the headers. and railway seems to do that, but only for the header X-Envoy-External-Address
ThallesComH
ThallesComH14mo ago
the x-forwarded-for seems to append the ip sent by the client
No description
macwilko
macwilkoOP14mo ago
@ThallesComH you legend i'll read about Envoy external address
ThallesComH
ThallesComH14mo ago
good, watch out that Cloudflare also have their x-forwarded-for version https://developers.cloudflare.com/fundamentals/reference/http-request-headers
Cloudflare HTTP request headers · Cloudflare Fundamentals docs
Cloudflare passes all HTTP request headers to your origin web server and adds additional headers as specified below.
ThallesComH
ThallesComH14mo ago
and x-forwarded-for behaves the same as the Railway's one
macwilko
macwilkoOP14mo ago
gotcha! is Railway using this? https://www.envoyproxy.io
Brody
Brody14mo ago
yes they are
macwilko
macwilkoOP14mo ago
Looking forward to when Brody does:
brody_text.replace(/they/i, “we”)
brody_text.replace(/they/i, “we”)
Brody
Brody14mo ago
you're funny
Want results from more Discord servers?
Add your server