coolify

History

Andras Bacsai f300ba0118 fix: prevent login rate limit bypass via spoofed headers The login and forgot-password rate limiters were vulnerable to bypass by manipulating the X-Forwarded-For header. Attackers could rotate this header value to circumvent the 5 attempts per minute limit. Changed both rate limiters to use server('REMOTE_ADDR') instead of ip() to prevent header spoofing. REMOTE_ADDR gives the actual connecting IP before proxy headers are processed. Also added comprehensive unit tests to verify the fix. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-28 09:47:13 +01:00
..
LoginRateLimitTest.php	fix: prevent login rate limit bypass via spoofed headers	2025-10-28 09:47:13 +01:00

Andras Bacsai f300ba0118 fix: prevent login rate limit bypass via spoofed headers

The login and forgot-password rate limiters were vulnerable to bypass
by manipulating the X-Forwarded-For header. Attackers could rotate
this header value to circumvent the 5 attempts per minute limit.

Changed both rate limiters to use server('REMOTE_ADDR') instead of
ip() to prevent header spoofing. REMOTE_ADDR gives the actual
connecting IP before proxy headers are processed.

Also added comprehensive unit tests to verify the fix.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-28 09:47:13 +01:00

LoginRateLimitTest.php

fix: prevent login rate limit bypass via spoofed headers

2025-10-28 09:47:13 +01:00