Synapse does not check that the chain in X-Forwarded-For is trusted, and so an attacker can spoof their IP address if the reverse proxy does not sanitize X-Forwarded-For. Ideally, we should be able to pass a set of trusted IP addresses, and synapse should only trust X-Forwarded-For if: 1) the request comes from a trusted IP address, and 2) every IP address in X-Forwarded-For, other than the first one, is trusted.

This can be mitigated by ensuring that the X-Forwarded-For header is sanitized before it hits synapse. For example, the public-facing reverse-proxy should remove any X-Forwarded-For header that it receives.

The IP address seems to be used for:

• checking that AS requests come from trusted IP addresses
• rate limiting registration requests
• UI auth (maybe?)
• request logging
• last-seen IP address for devices