|
|
|
|
|
|
by danhite
323 days ago
|
|
|
thank you for your comment : > The article seems to forget the step of checking the real TCP connection remote address (from my skimming) as this alerted me when reading the article to see their very important, but not highlighted, caveat emptor that covers this dangerous case : Note that this logic assumes that your server is not directly accessible.
If it is, you need to check the actual request source IP address is one of yours first -
effectively treating that as an extra right-most address.
|
|
|
But when you make an assumption, you make an ass of u and mption. To have your webserver simply assume that anybody who manages to connect is trusted not a great plan.
There's a right way to do it (see my previous comment), so seems to me that one shouldn't do the wrong thing and hope that it's not a problem.
> the actual request source IP address is one of yours first
I guess this also confused me skimming. "One of yours". No, you check if it's coming from where it's supposed to be coming, I'd say. Or from the trusted list, as I'd call it.