Skip to content

IP Spoofing in Rate Limiter #151

Description

@roshankumar0036singh

Problem Statement

The rate limiter relies directly on c.ClientIP(). When deployed behind reverse proxies or load balancers (like Nginx, Cloudflare), malicious users can easily bypass rate limits by spoofing the X-Forwarded-For header.

Technical Approach

Explicitly configure Gin's SetTrustedProxies with the known internal IP ranges of the load balancers, ensuring c.ClientIP() only parses headers from trusted sources.

Acceptance Criteria

  • Rate limiting cannot be bypassed by injecting fake IP headers.
  • Genuine client IPs are accurately logged in the audit trail.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions