Skip to content

fix(security): add validation for X-Forwarded-For header in rate limiter#959

Open
anshul23102 wants to merge 3 commits into
imDarshanGK:mainfrom
anshul23102:fix/709-xforwarded-validation
Open

fix(security): add validation for X-Forwarded-For header in rate limiter#959
anshul23102 wants to merge 3 commits into
imDarshanGK:mainfrom
anshul23102:fix/709-xforwarded-validation

Conversation

@anshul23102
Copy link
Copy Markdown

@anshul23102 anshul23102 commented Jun 8, 2026

Summary

This PR fixes the rate limiter vulnerability by adding validation for X-Forwarded-For headers. The rate limiter now requires explicit configuration before trusting proxy headers, preventing trivial per-IP bypass attacks.

Problem

The get_client_key() function in middleware.py blindly trusts the X-Forwarded-For header without validation:

  • Any client can spoof X-Forwarded-For to appear as different IPs
  • Rate limiting per client IP becomes ineffective
  • Attackers can bypass rate limits by sending different IPs in each request

Solution

  1. Added TRUST_PROXY_HEADERS environment variable (defaults to false)
  2. Header validation - only uses X-Forwarded-For if explicitly enabled
  3. Secure IP extraction - uses rightmost IP in chain (most recent/trusted hop)
  4. Fallback behavior - defaults to direct connection IP for security
  5. Production safe - requires explicit opt-in for proxy header trust

Changes

  • backend/app/middleware.py: Updated get_client_key() with conditional proxy header handling
  • backend/app/config.py: Added trust_proxy_headers boolean setting

Security Impact

  • Prevents spoofed X-Forwarded-For from bypassing rate limits
  • Secure by default (proxy headers not trusted unless enabled)
  • Protects API endpoints from abuse and resource exhaustion

Testing

  • Rate limiting uses direct connection IP by default
  • When TRUST_PROXY_HEADERS=true, uses X-Forwarded-For rightmost IP
  • Spoofed X-Forwarded-For is ignored when disabled
  • Rate limits properly block requests from same IP/proxy

Related Issue

Closes #709

This contribution is part of GSSoC 2026. Please consider adding the gssoc-approved label when reviewed.

@anshul23102
fix(security): enforce JWT_SECRET as required environment variable
522f68e 
- Add _required_env() helper function to enforce mandatory configuration
- Update jwt_secret to use _required_env() instead of fallback to default
- Application now fails fast at startup if JWT_SECRET is not set
- Prevents token forgery attacks from known default secrets

Closes imDarshanGK#707
@anshul23102
fix(security): add authentication to history routes
065f5f0 
- Import get_current_user dependency from security module
- Add authentication requirement to all history endpoints
- Filter history records by current_user.id to prevent cross-user access
- Ensure users can only access their own analysis history
- Save user_id when storing new history entries

Closes imDarshanGK#708
@anshul23102
fix(security): add validation for X-Forwarded-For header in rate limiter
b1574fd 
- Add TRUST_PROXY_HEADERS environment variable to control proxy header trust
- Only use X-Forwarded-For if explicitly enabled via TRUST_PROXY_HEADERS=true
- Default to disabled (uses direct connection IP) for security
- Use rightmost IP in X-Forwarded-For chain (most recent hop)
- Prevents trivial per-IP rate limit bypass from spoofed headers
- Improves rate limiting accuracy in production deployments

Closes imDarshanGK#709
@anshul23102 anshul23102 requested a review from imDarshanGK as a code owner June 8, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imDarshanGK imDarshanGK Awaiting requested review from imDarshanGK imDarshanGK is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] Rate limiter uses X-Forwarded-For without validation, enabling trivial per-IP bypass

1 participant

@anshul23102