Is there a way to reliably determine whether an in...
# ktorq
Quap
03/15/2023, 6:08 AMIs there a way to reliably determine whether an incoming request is coming from a local connection? I want to make an admin panel that is accessible from the machine hosting the server only, but I see the warning about using call.request.local.remoteAddress...
a
Aleksei Tirman [JB]
03/15/2023, 6:48 AMWhat warning do you see when using
call.request.local.remoteAddressq
Quap
03/15/2023, 6:57 AMFrom the docs here: https://api.ktor.io/ktor-http/io.ktor.http/-request-connection-point/index.html
Client address. For io.ktor.application.ApplicationRequest.local instance could point to a proxy our application running behind. NEVER use it for user authentication as it can be easily falsified (user can simply set some HTTP headers such as X-Forwarded-Host so you should NEVER rely on it in any security checks). If you are going to use it to create a back-connection, please do it with care as an offender can easily use it to force you to connect to some host that is not intended to be connected to so that may cause serious consequences.
Quap
03/15/2023, 6:59 AMIs this only applicable when behind a proxy? I tested a bit sending X-Forwarded headers and couldn't see any problem
a
Aleksei Tirman [JB]
03/15/2023, 7:10 AMIt can be used without a proxy but it’s not safe to rely on that address.
q
Quap
03/15/2023, 7:20 AMWell, I also don't have the ForwardedHeaders plugins installed also - so there should be zero risk I think? If someone tried to gain access to the system this way, the method would not work because the X-Forwarded headers would simply be disregarded - is this correct? Thanks for the replies btw, you have helped me before and I appreciate it!
Quap
03/15/2023, 7:20 AM5 Views