Problem
The rate limiter extracts client IPs from `X-Forwarded-For` and `X-Real-IP` headers without validating the source of the request. While Chi's `middleware.RealIP` is in the middleware stack, the rate limiter's own IP extraction (`ratelimit.go:93-100`) also reads these headers.
In production behind Cloudflare Tunnel, this works correctly because Cloudflare sets these headers. However, if the server is ever accessed directly (e.g. within the cluster, during testing, or if the tunnel is misconfigured), a client can spoof `X-Forwarded-For` to bypass rate limiting entirely by rotating the header value.
Why it matters
Rate limiting is the primary brute-force protection for login and other auth endpoints. If it can be trivially bypassed by header spoofing, it provides a false sense of security.
Suggested approach
- Rely on Chi's `middleware.RealIP` (which is already in the middleware stack) to set `r.RemoteAddr` correctly
- Have the rate limiter read from `r.RemoteAddr` only (after RealIP middleware has processed the headers), rather than parsing proxy headers independently
- Consider configuring trusted proxy CIDRs if the middleware supports it
This is low severity given the Cloudflare Tunnel setup but is a good hygiene fix.
Problem
The rate limiter extracts client IPs from `X-Forwarded-For` and `X-Real-IP` headers without validating the source of the request. While Chi's `middleware.RealIP` is in the middleware stack, the rate limiter's own IP extraction (`ratelimit.go:93-100`) also reads these headers.
In production behind Cloudflare Tunnel, this works correctly because Cloudflare sets these headers. However, if the server is ever accessed directly (e.g. within the cluster, during testing, or if the tunnel is misconfigured), a client can spoof `X-Forwarded-For` to bypass rate limiting entirely by rotating the header value.
Why it matters
Rate limiting is the primary brute-force protection for login and other auth endpoints. If it can be trivially bypassed by header spoofing, it provides a false sense of security.
Suggested approach
This is low severity given the Cloudflare Tunnel setup but is a good hygiene fix.