1
HFS ~ HTTP File Server / Re: Q / REQ : Proxied client IP detection
« on: April 12, 2008, 06:12:35 AM »the problem is about people trying to spoof their IP, to make HFS show an incorrect IP in the log.
Apache is a trusted source, but there's no way for HFS to know it's apache.
A safe way may be to show it instead of the IP, but only if the IP is 127.0.0.1, because we may assume that software running on your own PC is trusted.
Any opinion?
Any implementation of this option would be great, "connection from localhost" requirement will make it a little more secure.
Actually, I didn't even know about this header till two days ago, therefore never thought about spoofing issue.