HN Reader

The Elements of Artificial Intelligence (bradygerber.com)

1 points by bg-write 45s ago 0 comments

Suzuki Fronx: An affordable city SUV with one tonne weight (globalsuzuki.com)

1 points by teleforce 3m ago 0 comments

Interactive Programming in C (2014) (nullprogram.com)

2 points by ofalkaed 5m ago 0 comments

Palmer Luckey considering entering laptop market with US-made model (tomshardware.com)

1 points by simonpure 6m ago 0 comments

Why Is There a Date of 1968 in the Intel Chipset Device Software Utility? (intel.com)

1 points by vegadw 7m ago 0 comments

Cable Bacteria Are Living Batteries (asimov.press)

1 points by mailyk 9m ago 0 comments

Scottie Scheffler raised questions about happiness and fulfillment (nytimes.com)

1 points by ricciardo 9m ago 0 comments

Voltaire: Enlightenment Philosopher and Lottery Scammer (smithsonianmag.com)

1 points by rbanffy 9m ago 0 comments

The Science Behind Coincidences. July 14, 1993, Joan Ginther Walks Into (medium.com)

1 points by rbanffy 9m ago 0 comments

SoftBank and OpenAI's $500B AI Project Struggles to Get Off Ground (wsj.com)

2 points by radialstub 9m ago 0 comments

Ask HN: Helping people medically with technology, what is the reality?

2 points by ge96 11m ago 1 comments

FastVLM: Efficient Vision Encoding for Vision Language Models (machinelearning.apple.com)

1 points by 2bit 12m ago 0 comments

Seeing the Lottery (seths.blog)

2 points by herbertl 12m ago 0 comments

Zero Knowledge Proofs (2024) (code.sgo.to)

1 points by mooreds 12m ago 0 comments

I Have vs. I Am (nik.art)

1 points by herbertl 12m ago 0 comments

Warp: The Agentic Development Environment (warp.dev)

1 points by thunderbong 12m ago 0 comments

Ask HN: Why do vibecoding tools still struggle so much with back end generation?

1 points by stosssik 16m ago 0 comments

The Many Faces of Agentic Identities (cyata.ai)

1 points by mooreds 17m ago 0 comments

Show HN: ProdE – Give AI coding tools context for multi-repo codebases (prode.ai)

1 points by curious_nile 19m ago 1 comments

Top UN court says countries can sue each other over climate change (bbc.com)

1 points by tartoran 19m ago 0 comments

File Storage vs. Object Storage vs. Block Storage (blog.algomaster.io)

1 points by stosssik 19m ago 0 comments

The big winner from Coca-Cola's Trump-inspired sugar push (bbc.com)

1 points by tartoran 20m ago 0 comments

Kimi K2 vs. Claude 4 Sonnet: what you should pick for agentic coding (composio.dev)

2 points by homarp 20m ago 0 comments

IRS has lost one-quarter of its IT staff since Trump took office (theregister.com)

2 points by rntn 21m ago 0 comments

Researchers improve radiant cooling to make outdoor temperatures feel cooler (techxplore.com)

2 points by PaulHoule 21m ago 0 comments

Base58 versus Base85 Encoding (johndcook.com)

2 points by zdw 22m ago 0 comments

AI Image to Video Generator – Create Videos from Images (imideo.net)

1 points by jacobgor502 22m ago 0 comments

Show HN: Apache Fluss (Incubating) – Streaming Storage for Real-Time Analytics (github.com)

2 points by michaelkoepf 22m ago 0 comments

OneNoughtOne – AI That Turns Conversations into Actions Across Your Digital Life

1 points by anshik1998 23m ago 0 comments

Show HN: Open-source business management tool for small business (github.com)

2 points by zaza12 23m ago 0 comments

Floor796 (floor796.com)

2 points by evo_9 23m ago 1 comments

Microsoft software flaw gave hackers access to U.S. nuclear weapons agency (qz.com)

3 points by mikece 27m ago 0 comments

Show HN: Unlimited Access to Mainstream LLM and Image Generation Model APIs (aihubmix.com)

1 points by akakenl 27m ago 0 comments

Delegation-Oriented FedCM (github.com)

1 points by mooreds 27m ago 0 comments

Understanding Debian's Security Processes (lwn.net)

1 points by jwilk 29m ago 0 comments

Show HN: Kafka, the first AI employee (NEW SOTA ON GAIA BY 20%) (brainbaselabs.com)

1 points by egrigokhan 30m ago 0 comments

AI might not recursively self improve (part 2) (secondsight.dev)

2 points by ffwd 31m ago 2 comments

Just Open Sourced NeuralAgent: The AI Agent That Lives on Your Desktop (github.com)

3 points by khalidshadidd 32m ago 0 comments

Creating agentic users, not just agentic AI (github.com)

1 points by manooshree 34m ago 1 comments

Space Force begins testing of first OCX software blocks for GPS sats (breakingdefense.com)

3 points by Jtsummers 37m ago 1 comments

Weapon Systems Annual Assessment (gao.gov)

1 points by Jtsummers 37m ago 0 comments

Ask HN: Cofounder Exit Offer

2 points by sjohns21 37m ago 4 comments

Finding New Opportunity

1 points by nikunj___2 41m ago 0 comments

Apollo 11 in Real Time (apolloinrealtime.org)

2 points by Bluestein 44m ago 0 comments

A Professor's Hunt for the Rarest Chinese Typewriter (nytimes.com)

3 points by japaget 45m ago 1 comments

Ramparts: A fast, lightweight security scanner for mcp servers (github.com)

2 points by sharathr 46m ago 1 comments

Zed Editor's Newest Feature: Being Able to Disable All AI Features (phoronix.com)

2 points by mikece 48m ago 1 comments

I adapted my film into a text-based adventure (kubicki.org)

4 points by durakot 49m ago 0 comments

The Bundling of Communities (ministryoftesting.com)

2 points by rosiesherry 51m ago 0 comments

NASA Shares How to Save Camera 370M-Miles Away Near Jupiter (nasa.gov)

5 points by mzs 51m ago 0 comments

What is X-Forwarded-For and when can you trust it? (2024)

11 ayoisaiah 1 7/23/2025, 10:18:06 AM httptoolkit.com ↗

Comments (1)

westurner · 3h ago
From the article: https://httptoolkit.com/blog/what-is-x-forwarded-for/ :

> Dropping all external values like this is the safest approach when you're not sure how secure and reliable the rest of your call chain is going to be. If other proxies and backend apps are likely to blindly trust the incoming information, or generally make insecure choices (which we'll get into more later) then it's probably safest to completely replace the X-Forwarded-For header at that outside-world facing reverse proxy, and ditch any untrustworthy data in the process.

X-Forwarded-For: https://en.wikipedia.org/wiki/X-Forwarded-For :

> Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log both the request's source IP address and the X-Forwarded-For field information for completeness

HTTP header injection: https://en.wikipedia.org/wiki/HTTP_header_injection

This OWASP page has a list of X-Forwarded-For and X-FORWARDED-foR and similar headers; "Headers for IP Spoofing" https://owasp.org/www-community/pages/attacks/ip_spoofing_vi...

A sufficient WAF should detect all such attempts.

The X-Forwarded-For Wikipedia article mentions that RFC 7239 actually standardizes the header and parsing:

  Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
  Forwarded: for="[2001:db8::1234]"
RFC 7239: "Forwarded HTTP Extension" (2014): https://www.rfc-editor.org/rfc/rfc7239