Is it safe to trust the values of $_SERVER["HTTP_CF_CONNECTING_IP"]?

Asked

Viewed 41 times

0

It is safe to rely directly on the values of the variable $_SERVER["HTTP_CF_CONNECTING_IP"], there is a need to filter or sanitize it?

It’s safe to use it like this?

$resposta = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=".$chave_secreta."&response=".$captcha_data."&remoteip=".$_SERVER["HTTP_CF_CONNECTING_IP"])

1 answer

1


This is safe only if you are using Cloudflare, and in addition, are only exposing your connection to Cloudflare.


In general, you must recur any connection, from anywhere except for the Ips mentioned in https://www.cloudflare.com/pt-br/ips/.


If you are using NGINX, you can use something like the code below for such a purpose of restricting external access to CF:

allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;

allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
allow 104.16.0.0/13;
allow 104.24.0.0/14;

deny all;
  • Can this variable be changed by the user so that he can make some attack? for example xss.

  • It can only be changed if the connection is made externally to Cloudflare. You may be running it yourself curl -H "Host: seusite.com" -H "HTTP_CF_CONNECTING_IP: QualquerCoisa" https://seusite.com and do the same using direct IP (instead of website, via CF). By using Cloudflare, it will be responsible for overriding the header value and the visitor will not be able to change arbitrarily. But, as I mentioned in the reply, if you allow external connections (in this case you can use direct IP) the visitor can change the header value arbitrarily.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.