Le mardi 28 juillet 2020 08:31:51 UTC+2, Aymeric Augustin a écrit : > > - We should focus this on usernames and ignore IP addresses, as most sites > are behind a reverse proxy of some kind and no one handles X-Forwarded-For > headers right (even Heroku doesn't care — when I reported they were > vulnerable to XFF injection, their security team [or, more accurately, > their subcontractors] didn't understand the report, even after several > rounds of explanation and a working proof of concept) >
What if we consider REMOTE_ADDR? In the worst case, it is not filled or filled with the same proxy address for all requests and we found ourselves in the same case where it is not considered at all. In the best case, it is properly filled and then the user is getting a bit better DOS protection. Am I missing something? Claude -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/77d835d8-85bc-4c7b-ae99-9f27cb4a6543o%40googlegroups.com.
