Get client’s real IP address on Heroku

by

From Jacob, Heroku’s Director of Security at the time:

The router doesn’t overwrite X-Forwarded-For, but it does guarantee that the real origin will always be the last item in the list.

This means that, if you access a Heroku app in the normal way, you will just see your IP address in the X-Forwarded-For header:

$ curl http://httpbin.org/ip
{
  "origin": "123.124.125.126",
}

If you try to spoof the IP, your alleged origin is reflected, but – critically – so is your real IP. Obviously, this is all we need, so there’s a clear and secure solution for getting the client’s IP address on Heroku:

$ curl -H"X-Forwarded-For: 8.8.8.8" http://httpbin.org/ip
{
  "origin": "8.8.8.8, 123.124.125.126"
}

This is just the opposite of what is described on Wikipedia, by the way.

PHP implementation:

function getIpAddress() {
    if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ipAddresses = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        return trim(end($ipAddresses));
    }
    else {
        return $_SERVER['REMOTE_ADDR'];
    }
}

More Related Contents:

  1. How can I get the clients IP address from HTTP headers?
  2. What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR?
  3. Why is an OPTIONS request sent and can I disable it?
  4. How does HTTP file upload work?
  5. Uses of content-disposition in an HTTP response header
  6. How to set HTTP headers (for cache-control)?
  7. What’s the difference between a POST and a PUT HTTP REQUEST?
  8. How to detect server-side whether cookies are disabled
  9. ‘Refresh’ HTTP header
  10. HTTP status code for update and delete?
  11. Why is it common to put CSRF prevention tokens in cookies?
  12. Which status code should I use for failed validations or invalid duplicates?
  13. How to handle multiple cookies with the same name?
  14. Easy HTTP requests with gzip/deflate compression
  15. CORS request with Preflight and redirect: disallowed. Workarounds?
  16. PHP_SELF vs PATH_INFO vs SCRIPT_NAME vs REQUEST_URI
  17. How to redirect user’s browser URL to a different page in Nodejs?
  18. Why does my web server software disallow PUT and DELETE requests?
  19. Send request to cURL with post data sourced from a file
  20. What does “pending” mean for request in Chrome Developer Window?
  21. Difference between HTTP redirect codes
  22. How to correctly set Http Request Header in Angular 2
  23. Is a slash (“/”) equivalent to an encoded slash (“%2F”) in the path portion of an HTTP URL
  24. Whats Content-Type value within a HTTP-Request when uploading content?
  25. Save cookies between two curl requests
  26. Can I somehow do a synchronous HTTP request via NSURLSession in Swift
  27. Using “transfer-encoding: chunked”, how much data must be sent before browsers start rendering it?
  28. How do I allow a PUT file request on Nginx server?
  29. What does HTTP/1.1 302 mean exactly?
  30. Chunked encoding and content-length header

Leave a Comment