From 88110ed268a3e46ccce610486abfb2cf8f39fbde Mon Sep 17 00:00:00 2001 From: Feiko Nanninga Date: Thu, 14 Nov 2019 03:32:47 +0100 Subject: [PATCH] Add security note to ConnectionInfo::remote() (#1158) --- src/info.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/info.rs b/src/info.rs index 61914516e..a9c3e4eeb 100644 --- a/src/info.rs +++ b/src/info.rs @@ -162,6 +162,12 @@ impl ConnectionInfo { /// - Forwarded /// - X-Forwarded-For /// - peer name of opened socket + /// + /// # Security + /// Do not use this function for security purposes, unless you can ensure the Forwarded and + /// X-Forwarded-For headers cannot be spoofed by the client. If you want the client's socket + /// address explicitly, use + /// [`HttpRequest::peer_addr()`](../web/struct.HttpRequest.html#method.peer_addr) instead. #[inline] pub fn remote(&self) -> Option<&str> { if let Some(ref r) = self.remote {