But when you make an assumption, you make an ass of u and mption. To have your webserver simply assume that anybody who manages to connect is trusted not a great plan.
There's a right way to do it (see my previous comment), so seems to me that one shouldn't do the wrong thing and hope that it's not a problem.
> the actual request source IP address is one of yours first
I guess this also confused me skimming. "One of yours". No, you check if it's coming from where it's supposed to be coming, I'd say. Or from the trusted list, as I'd call it.
But when you make an assumption, you make an ass of u and mption. To have your webserver simply assume that anybody who manages to connect is trusted not a great plan.
There's a right way to do it (see my previous comment), so seems to me that one shouldn't do the wrong thing and hope that it's not a problem.
> the actual request source IP address is one of yours first
I guess this also confused me skimming. "One of yours". No, you check if it's coming from where it's supposed to be coming, I'd say. Or from the trusted list, as I'd call it.