I have a rate limiting library, and for a long time, some of the most frequent issues related to misconfiguration around X-Forwarded-For headers: either ignoring them when it shouldn't and limiting the load balancer's IP instead of the end user, or blindly trusting any XFF header and allowing limits to be trivially bypassed.
Eventually I added some runtime checks that log a warning and linked to documentation for both of those issues and a few other common ones.
My support burden has decreased dramatically since then.
Eventually I added some runtime checks that log a warning and linked to documentation for both of those issues and a few other common ones.
My support burden has decreased dramatically since then.