2Mar
IP spoofing and http requests
I protect my website with Cloudflare. But using Censys I found my real server IP, thus anyone can connect to my server without having to deal with Cloudflare. I saw that I can blacklist all IPs that are not from Cloudflare, but I got scared that if someone changed their X-Forwarded-For, they can hide themselves as a client going through Cloudflare defeating the whole purpose of blacklisting IPs. But then someone on Discord said that I can blacklist effectively in the transport layer using TCP to determine the real IP of users.
I could not find a source to backup this person's statement, and thought I should ask the experts.
