On March 3, 2011, Chris McDonough wrote:
> environ.get('HTTP_X_FORWARDED_FOR', environ['REMOTE_ADDR'])You can only trust X_FORWARDED_FOR if there is a proxy in front of your app. If the app is facing the Web without a proxy, you should read REMOTE_ADDR because X_FORWARDED_FOR is trivial to spoof. In some cases, you will indeed get the IP of a remote proxy instead of the real client IP but for most usage, that should do the trick. I tend to have a config key that tells me if the app is deployed behind a proxy or not and my helper function to get the client IP acts accordingly. -- Yannick Gingras http://ygingras.net
signature.asc
Description: This is a digitally signed message part.
