req.headers.get('X_FORWARDED_FOR', req.remote_addr) in many places and
request.headers.get('X-Remote-Addr', request.remote_addr) in one. We should standardize this and make the custom header a
.ini setting so that folks can use whatever they need (or none) based on their deployment configuration.
I think we should default to none since that is safest. In
development.ini we can show an example config for X_FORWARDED_FOR since that is common.
Log in to post a comment.