diff options
| -rw-r--r-- | actionpack/lib/action_dispatch/middleware/remote_ip.rb | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/remote_ip.rb b/actionpack/lib/action_dispatch/middleware/remote_ip.rb index ad5e1993aa..4e36c9bb49 100644 --- a/actionpack/lib/action_dispatch/middleware/remote_ip.rb +++ b/actionpack/lib/action_dispatch/middleware/remote_ip.rb @@ -17,9 +17,10 @@ module ActionDispatch # IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING. # This middleware assumes that there is at least one proxy sitting around # and setting headers with the client's remote IP address. If you don't use - # a proxy, because you are hosted on e.g. Heroku, any client can claim to - # have any IP address by setting the X-Forwarded-For header. If you care - # about that, please take precautions. + # a proxy, because you are hosted on e.g. Heroku without SSL, any client can + # claim to have any IP address by setting the X-Forwarded-For header. If you + # care about that, then you need to explicitly drop or ignore those headers + # sometime before this middleware runs. class RemoteIp class IpSpoofAttackError < StandardError; end |