A
Aseem Kishore
Documenting for others (wasn't sure about this, so did a test):
Looks like Render does not
clear or reset
any passed-in X-Forwarded-For
header (it only appends
to it), so a client could spoof its IP by setting this header itself.(That's not necessarily wrong of Render: a developer could legitimately put a Render app behind
another
proxy or load balancer, which would also set this header. But maybe render.yaml
could have a setting to control this, to prevent accidental security vulnerabilities.)That said, I'm also seeing that Cloudflare (most likely) is also adding these two request headers, which seem to guard against spoofing:
- CF-Connecting-IP(https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#cf-connecting-ip)
- True-Client-IP(https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#true-client-ip-enterprise-plan-only) — seems like this is an alias
—
Anurag Goel: a few quick q's:
- Is it safe to rely on Render remaining on CloudFlare? (i.e. Would it be safe to use these CloudFlare headers that aren't documented on Render's side?)
- Alternately, is it safe to rely on Render only ever adding oneIP address toX-Forwarded-For? (Or might Render ever route through multiple proxiesandadd each of those proxies' IP addresses to this header?)
- Alternately, could Render document and guarantee a True-Client-IPheader that we can/should use for this purpose?
Thank you!
Anurag Goel
updated the status to
complete
Anurag Goel
render_k9tmadbsncix4 has it right: we set the first IP in the list to the real client IP. Please email us at support@render.com if you aren't seeing this behavior for your site.
r
render_k9tmadbsncix4
Looks like the real/client IP address should be first: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For