fix(security): Add WithClientIPHeader function to create new Option

ulule · Mar 17, 2022 · 8be3c81 · 8be3c81
1 parent bb4a759
commit 8be3c81
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -94,7 +94,7 @@ store := memory.NewStore()
 instance := limiter.New(store, rate)
 
 // Alternatively, you can pass options to the limiter instance with several options.
-instance := limiter.New(store, rate, limiter.WithTrustForwardHeader(true), limiter.WithIPv6Mask(mask))
+instance := limiter.New(store, rate, limiter.WithClientIPHeader("True-Client-IP"), limiter.WithIPv6Mask(mask))
 
 // Finally, give the limiter instance to your middleware initializer.
 import "github.com/ulule/limiter/v3/drivers/middleware/stdlib"

diff --git a/options.go b/options.go
@@ -41,8 +41,21 @@ func WithIPv6Mask(mask net.IPMask) Option {
 }
 
 // WithTrustForwardHeader will configure the limiter to trust X-Real-IP and X-Forwarded-For headers.
+// Please be advised that using this option could be insecure (ie: spoofed) if your reverse
+// proxy is not configured properly to forward a trustworthy client IP.
+// Please read the section "Limiter behind a reverse proxy" in the README for further information.
 func WithTrustForwardHeader(enable bool) Option {
 	return func(o *Options) {
 		o.TrustForwardHeader = enable
 	}
 }
+
+// WithClientIPHeader will configure the limiter to use a custom header to obtain user IP.
+// Please be advised that using this option could be insecure (ie: spoofed) if your reverse
+// proxy is not configured properly to forward a trustworthy client IP.
+// Please read the section "Limiter behind a reverse proxy" in the README for further information.
+func WithClientIPHeader(header string) Option {
+	return func(o *Options) {
+		o.ClientIPHeader = header
+	}
+}