sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity
4f1f3e2494
upaas/internal/middleware
History
clawbot b1a6fd5fca fix: only trust proxy headers from RFC1918/loopback sources (closes #44) 
realIP() now parses RemoteAddr and checks if the source IP is in
RFC1918 (10/8, 172.16/12, 192.168/16), loopback (127/8), or IPv6
ULA/loopback ranges before trusting X-Real-IP or X-Forwarded-For
headers. Public source IPs have headers ignored (fail closed).

This prevents attackers from spoofing X-Forwarded-For to bypass
the login rate limiter.
2026-02-15 22:01:54 -08:00
..
middleware.go fix: only trust proxy headers from RFC1918/loopback sources (closes #44) 2026-02-15 22:01:54 -08:00
ratelimit_test.go fix: resolve all golangci-lint issues 2026-02-15 21:55:24 -08:00
realip_test.go fix: only trust proxy headers from RFC1918/loopback sources (closes #44) 2026-02-15 22:01:54 -08:00