From cc5a4bb4df2390cb57d5a295a4f4a51572012268 Mon Sep 17 00:00:00 2001
From: Andre Arko <andre@arko.net>
Date: Wed, 2 Jan 2013 15:34:27 -0800
Subject: Explain the possible precautions

---
 actionpack/lib/action_dispatch/middleware/remote_ip.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'actionpack/lib/action_dispatch/middleware')

diff --git a/actionpack/lib/action_dispatch/middleware/remote_ip.rb b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
index ad5e1993aa..4e36c9bb49 100644
--- a/actionpack/lib/action_dispatch/middleware/remote_ip.rb
+++ b/actionpack/lib/action_dispatch/middleware/remote_ip.rb
@@ -17,9 +17,10 @@ module ActionDispatch
   # IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING.
   # This middleware assumes that there is at least one proxy sitting around
   # and setting headers with the client's remote IP address. If you don't use
-  # a proxy, because you are hosted on e.g. Heroku, any client can claim to
-  # have any IP address by setting the X-Forwarded-For header. If you care
-  # about that, please take precautions.
+  # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
+  # claim to have any IP address by setting the X-Forwarded-For header. If you
+  # care about that, then you need to explicitly drop or ignore those headers
+  # sometime before this middleware runs.
   class RemoteIp
     class IpSpoofAttackError < StandardError; end
 
-- 
cgit v1.2.3