X-Forwarded-For header should be processed last-to-first to prevent IP spoofing

## Description

`X-Forwarded-For` header should be processed last-to-first to prevent IP spoofing, as explained in this [post](https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/). It would be needed to set up IP addresses of known proxies to be ignored.

## Current implementation

In [context.go](https://github.com/gin-gonic/gin/blob/731c827892f5b1eac9f58fc65cef32fa1908972c/context.go#L688):

```go
func (c *Context) ClientIP() string {
	if c.engine.ForwardedByClientIP {
		clientIP := c.requestHeader("X-Forwarded-For")
		clientIP = strings.TrimSpace(strings.Split(clientIP, ",")[0])
		if clientIP == "" {
			clientIP = strings.TrimSpace(c.requestHeader("X-Real-Ip"))
		}
		if clientIP != "" {
			return clientIP
		}
	}
	...
```



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

X-Forwarded-For header should be processed last-to-first to prevent IP spoofing #2232

Description

Current implementation

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

X-Forwarded-For header should be processed last-to-first to prevent IP spoofing #2232

Description

Description

Current implementation

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions