Commit graph

1 commit

Author SHA1 Message Date
Erik
5f7b4dcd55 fix(tracker-go): key login rate limiter on X-Real-IP, not spoofable XFF
nginx's X-Forwarded-For is $proxy_add_x_forwarded_for, which only appends
to whatever the client sends — a forged leftmost hop passed straight
through, letting an attacker rotate spoofed values to dodge the 5s login
cooldown. X-Real-IP is set by nginx to $remote_addr on every proxied
location and can't be forged by the client, so key on that instead.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-04 22:43:43 +02:00