2 days ago
For my app in [Southeast Asia region], does your edge proxy fully construct/overwrite the X-Forwarded-For header based on the real observed client connection, or does it append onto a client-supplied X-Forwarded-For value if one is already present in the incoming request? I need to know whether a client can prepend fake entries ahead of the real client IP for rate-limiting purposes.
I saw @phin's reply in the 'Security-Critical Questions on Edge Proxy Header Handling and Hop Count' thread confirming Railway strips X-Forwarded-For at the edge and clients can't overwrite it. Can you confirm this holds for my project specifically — IceVault / web / production, [Southeast Asia region]? I'm currently seeing exactly 2 entries in X-Forwarded-For (real client leftmost, one internal Railway hop after it) and want to confirm that's a stable, guaranteed shape for my setup before I rely on it for rate-limiting security, not just something that happened to hold today.
0 Replies
Status changed to Awaiting Railway Response Railway • 2 days ago
2 days ago
This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.
Status changed to Open Railway • 2 days ago