Skip to content

Add test for spoofed X-Forwarded-For #1025

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: investigate-geoip-reporting
Choose a base branch
from
Open

Add test for spoofed X-Forwarded-For #1025

wants to merge 1 commit into from

Conversation

@aagbsn
Copy link
Contributor

@aagbsn aagbsn commented Oct 29, 2025

For clarification of #1022
What is the expected behavior if the request header contains multiple of X-Forwarded-For?

If a malicious client posts a report with false IP and same false IP in an additional X-Forwarded-For then a mismatch will not be detected.

@LDiazN
Copy link
Contributor

LDiazN commented Oct 29, 2025
edited
Loading

If there is more than 1 IP in X-Forwarded-For we follow this piece:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For#directives

A proxy IP address. If a request goes through multiple proxies, the IP addresses of each successive proxy are listed. This means that the rightmost IP address is the IP address of the most recent proxy and the leftmost IP address is the address of the originating client

And assume that the first one is the originating client (we only check that one) and the rest are proxy servers

It's true that a malicious client could use the same IP for the bad ASN and CC, that case would require more work to workaround, but the current setup allows us to manage innocuous cases like the geoip database shipped with the probe being outdated, which is more common

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aagbsn @LDiazN