X-Forwarded-For behavior — edge overwrite vs. client-append
tfenk
PROOP

2 days ago

For my app in [Southeast Asia region], does your edge proxy fully construct/overwrite the X-Forwarded-For header based on the real observed client connection, or does it append onto a client-supplied X-Forwarded-For value if one is already present in the incoming request? I need to know whether a client can prepend fake entries ahead of the real client IP for rate-limiting purposes.

I saw @phin's reply in the 'Security-Critical Questions on Edge Proxy Header Handling and Hop Count' thread confirming Railway strips X-Forwarded-For at the edge and clients can't overwrite it. Can you confirm this holds for my project specifically — IceVault / web / production, [Southeast Asia region]? I'm currently seeing exactly 2 entries in X-Forwarded-For (real client leftmost, one internal Railway hop after it) and want to confirm that's a stable, guaranteed shape for my setup before I rely on it for rate-limiting security, not just something that happened to hold today.

$20 Bounty

0 Replies

Status changed to Awaiting Railway Response Railway 2 days ago


Railway
BOT

2 days ago

This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.

Status changed to Open Railway 2 days ago


Welcome!

Sign in to your Railway account to join the conversation.

Loading...