tag
misconfiguration
2 articles with this tag
2026-06-08
What is X-Forwarded-For (XFF) spoofing — the trusted-proxy config trap
XFF is a client-forgeable header. A blind scanner hides injection probes in a spoofed XFF; 'trust all proxies (wildcard)' lets it through. Patch = sanitize the IP header at the boundary; root fix = trust the right proxies (or none). Zero impact still left a setting to fix.
2026-06-07
Laravel apps' .env was readable by the whole world — the most common shared-hosting mistake
The cause: the whole app sat under the web root; only public/ should be visible. Fix in three steps — .htaccess first aid, rotate keys, restructure — then prevent it with process.