Skip to content

Fix spoofable X-Forwarded-For header for some proxied services

X-Forwarded-For is defined as X-Forwarded-For: , , , and it was set to $proxy_add_x_forwarded_for which is basically http_x_forwarded_for,remote_addr and headers from the client can't be trusted!

Fix #292 (closed)


Already deployed

Edited by Kristian Klausen

Merge request reports

Loading