First IP can be spoofed. You want the last IP.

briandela / therealyou

hapi.js plugin for setting the request.info.remoteAddress and request.info.remotePort based on the X-Forwarded-For and X-Forwarded-Port headers

MIT License

7 stars 4 forks source link

First IP can be spoofed. You want the last IP. #9

Open createthis opened 6 years ago

createthis commented 6 years ago

Given an X-Forwarded-For header with value "10.0.0.12, 192.168.1.234", the first value, "10.0.0.12" could have been supplied by the client and therefore spoofed. You can test this yourself quite easily in Chrome by installing the X-Forwarded-For extension and spoofing the IP to any value you want.

You want the last IP, "192.168.1.234".