Files
templates/blueprints/plane
LeoGomide b24dbc7611 fix(plane): tighten proxy TRUSTED_PROXIES to private_ranges (no IP spoofing)
Defaulting TRUSTED_PROXIES to 0.0.0.0/0 makes Caddy trust X-Forwarded-For /
X-Real-IP from any peer, allowing client-IP spoofing (CWE-348 / CWE-290) that
poisons rate-limiting and audit logs. In Dokploy the only upstream is Traefik on
the private dokploy-network, so trust Caddy's built-in `private_ranges` token
instead. Legitimate forwarded client IPs (Traefik is a private peer) still
resolve correctly; XFF from public-IP peers is rejected if the proxy is ever
exposed directly. Overridable via env for custom topologies.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 10:17:09 -03:00
..