This was the only article that opened my eyes; it's a lot better than the Wikipedia article on the topic. It covers the XFF header, also related headers, clearly from both defense and offense perspectives.
Two things it failed to advise for defense are:
(1) I can simply just reject requests that provide multiple keys of this header. In Go, I will use `http.Header.Values(headerName)` to check the count. There is no good reason for having multiple keys of it. Any misconfiguration in setting them is the client's problem.
(2) I can and I must reject large requests that have too many header bytes. In Go, when initializing `http.Server`, I can give it the `MaxHeaderBytes` argument. Sending megabytes of headers stops here.
If I understood correctly, when wanting the rightmost-ish XFF value, I can use the rightmost value that is not in a list of trusted subnets, assuming there is at least one remaining value left of it.
Two things it failed to advise for defense are:
(1) I can simply just reject requests that provide multiple keys of this header. In Go, I will use `http.Header.Values(headerName)` to check the count. There is no good reason for having multiple keys of it. Any misconfiguration in setting them is the client's problem.
(2) I can and I must reject large requests that have too many header bytes. In Go, when initializing `http.Server`, I can give it the `MaxHeaderBytes` argument. Sending megabytes of headers stops here.
If I understood correctly, when wanting the rightmost-ish XFF value, I can use the rightmost value that is not in a list of trusted subnets, assuming there is at least one remaining value left of it.