You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So X-Forwarded-For header can be exploited with this library if we add XFF header in the request.
On Nginx, we can use the alternative X-Real-IP header for $remote_addr value.
So
X-Forwarded-Forheader can be exploited with this library if we add XFF header in the request.On Nginx, we can use the alternative
X-Real-IPheader for$remote_addrvalue.Maybe we can add something like below?
app.use( clientIp.mw({ prioritize: ["x-real-ip",], }) );This will push change header priority list from
default[ 'x-client-ip', 'x-forwarded-for', 'cf-connecting-ip', 'fastly-client-ip', 'true-client-ip', 'x-real-ip', 'x-cluster-client-ip', 'x-forwarded', 'forwarded-for', 'forwarded', 'x-appengine-user-ip', ];to
[ 'x-real-ip', 'x-client-ip', 'x-forwarded-for', 'cf-connecting-ip', 'fastly-client-ip', 'true-client-ip', 'x-cluster-client-ip', 'x-forwarded', 'forwarded-for', 'forwarded', 'x-appengine-user-ip', ];The text was updated successfully, but these errors were encountered: