Rabbit Hole
cryptic.ioI was thinking of missing/incorrect header when the post started talking about setting IP Address from an optional header. As someone has already said, 'Never trust a client'. But while its very easy to say, its not so hard to remember in practice. I find it even harder to remember when the client is essentially some other part of your application.
Reminds me of this hack using the x-forwarded-for header:
http://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-ha...
(Anatomy of an Attack: How I Hacked StackOverflow)
and this:
(Exploits of a Mom)
Never trust the client....