1 article with this tag
XFF is a client-forgeable header. A blind scanner hides injection probes in a spoofed XFF; 'trust all proxies (wildcard)' lets it through. Patch = sanitize the IP header at the boundary; root fix = trust the right proxies (or none). Zero impact still left a setting to fix.