search

ninjaframework / ninja

Ninja is a full stack web framework for Java. Rock solid, fast and super productive.
http://www.ninjaframework.org
Apache License 2.0
1.91k stars 518 forks source link

X-Forwarded-For header and security #224

Closed raphaelbauer closed 10 years ago

raphaelbauer commented 10 years ago

@dazhudson I'd like to add a toggle to application.conf that enables this feature only if it is set to true. I can think of all sorts of strange security issues when the frontend facing proxy is not configured properly, or the users are not 100% sure what they are doing.

Something like: ninja.x-forwarded-for=true|false

Let me know what you think!

DazHudson commented 10 years ago

You can do, or if you want the default behaviour just use getHttpRequest().getRemoteAddr()

raphaelbauer commented 10 years ago

Sure - but some people are using context.getRemoteAddr() already and may be surprised with the change (positive or negative depending on the configuration of their firewalls and reverse proxies ;) ).

Anyway - I added a configuration variable to enable the feature (ninja.x_forwarded_for_enabled). I think that's cool and easy.

raphaelbauer commented 10 years ago

Check out: https://github.com/ninjaframework/ninja/pull/225 All feedback welcome :)