Christopher Weimann wrote: > Jonathan Vanasco wrote: >> maybe someone can make a middleware or pylons patch + config setting >> that migrates X_FORWARDED_FOR to REMOTE_ADDR >> > > REMOTE_ADDR is typically set by your webserver and can be trusted. > X_FORWARDED_FOR is an HTTP header typically set by proxy servers or even the > client and I would have to say it can NOT be trusted so should certainly not > replace the reliable data in REMOTE_ADDR.
This is in part the reason why it is handled in middleware. If you *do* have a proxy in your installation then you can (and should) trust X-Forwarded-For, and moving it to REMOTE_ADDR signifies the trustworthiness of the value. If you are not behind a proxy you should ignore the value. (Arguably, maybe you should even remove the header or reject the request, but nothing currently does that.) -- Ian Bicking : [EMAIL PROTECTED] : http://blog.ianbicking.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
