Allow X-Forwarded-For Headers to Site or No?
Posted on 2016-10-24
So, this one is new for me and I need a breakdown on it. I already Google'd about it but I want a answer from someone knowledgable in this matter.
We host multiple sites for clients. The sites are on IIS servers behind a load balancer. One of the sites we host is having issues when their customers try to access it behind a proxy. They can access it when they disable "X-Forwarded-For" option on the proxy but can't access it when they enable.
My question to you is should we enable it for these users? I ready that hackers can use that option if they breach your network and can use it to spoof the IP they came in on. So obviously for us this is a security issue.
I'm not even 100% sure where to enable this, I believe I would do it on the actual web server and not the firewall, but I need advice on the ramifications of if I do it to begin with.