Can IP address be spoofed when reading ApplicationRequest.local.remoteAddress but Forwarded Headers plugin is not installed?