fix: only trust proxy headers from RFC1918/loopback sources (closes #44) #47

Merged

sneak merged 1 commits from :fix/realip-trusted-proxy into main

2026-02-16 07:03:23 +01:00

Author	SHA1	Message	Date
clawbot	b1a6fd5fca	fix: only trust proxy headers from RFC1918/loopback sources (closes #44 ) realIP() now parses RemoteAddr and checks if the source IP is in RFC1918 (10/8, 172.16/12, 192.168/16), loopback (127/8), or IPv6 ULA/loopback ranges before trusting X-Real-IP or X-Forwarded-For headers. Public source IPs have headers ignored (fail closed). This prevents attackers from spoofing X-Forwarded-For to bypass the login rate limiter.	2026-02-15 22:01:54 -08:00

Author

SHA1

Message

Date

clawbot

b1a6fd5fca

fix: only trust proxy headers from RFC1918/loopback sources (closes #44 )

realIP() now parses RemoteAddr and checks if the source IP is in
RFC1918 (10/8, 172.16/12, 192.168/16), loopback (127/8), or IPv6
ULA/loopback ranges before trusting X-Real-IP or X-Forwarded-For
headers. Public source IPs have headers ignored (fail closed).

This prevents attackers from spoofing X-Forwarded-For to bypass
the login rate limiter.

2026-02-15 22:01:54 -08:00

fix: only trust proxy headers from RFC1918/loopback sources (closes #44) #47

1 Commits