On Thu, Mar 24, 2011 at 4:35 PM, bradford <[email protected]> wrote: > I know there have been several emails about this, but what is the most > secure way of logging the client's IP address in the application code? > Do you just log the full X-Forwarded-For comma delimited value? > Also, can't they manipulate the X-Forwarded-For header in the HTTP > request?
Delete any existing headers using reqdel/reqidel. reqidel X-Forwarded-For option forwardfor This will ensure the only one the backed sees is the one you added.
