KeyByRealIP is susceptible to spoofing

Open mschwager opened this issue 11 months ago • 0 comments

Hi there,

I was recently reading The perils of the “real” client IP and noticed that this library is vulnerable to the attacks described in that post. Due to the following items in go-chi/chi, I suspect you're already aware of this issue: https://github.com/go-chi/chi/issues/711, https://github.com/go-chi/chi/pull/967.

I'm opening this issue to ensure that whatever improvements are made to go-chi/chi to remediate this issue are also made to go-chi/httprate. realclientip-go also looks good to me, so I wonder if there's an opportunity to use that implementation.

Feb 20 '25 11:02 mschwager