I mean don’t sent client IP and country code into original server from http header.
The server may deployed at a untrusted environment.
Unsure what your setup is but if you’re just using Cloudflare’s free plan I don’t think you’ll be getting the true client IP as that is a paid feature.
You can stop receiving visitor country codes by changing the IP Geolocation setting under Network to off. The True-Client-IP header under Networks should already be off because it requires the enterprise plan.
All plans get the cf-connecting-ip header. I have never seen a way to disable that.
Is the concern that the network between Cloudflare and Origin is untrusted, or is the Origin also untrusted? The former can be mitigated by ensuring only HTTPS traffic between CF and Origin, and using Authenticated Origin Pull. All bets are off with the latter.
1 Like
Good to know, thanks.
Strange that they made the true-client-ip header a paid feature if you can get the same info out of another header. Or am I missing something?
From the documentation:
There’s absolutely no difference between True-Client-IP and Cf-Connecting-IP besides the name of the header. Some Enterprise customers with legacy devices need True-Client-IP to avoid updating firewalls or load-balancers to read a custom header name.
I always presumed there was some licensing implication on the header, and there is no such cost for the cf-connecting-up.
2 Likes
That’s good to know. Thanks for that.
I am not sure if you can license a header. My assumption would rather be Cloudflare’s approach here is, if you use software which requires such a header, you can pay for Enterprise. Let’s say it is a sort of encouragement 
I’m sure if Akamai started to issue a CF-Commecting-IP header the lawyers would generate a lot of billable hours, whether or not it infringed on anything!
One could argue CF somewhat is Cloudflare related but A) even CF does not necessarily have to be interpreted as Cloudflare and B) I still doubt you can trademark a header.
let says the server is deploy at a vps and late the vps storage backup is leaked, or some day a hacker get into the OS then he know all the client come from which IP.
to disable it, the hacker will not able to know the client true IP even him run tcpdump on the server.
don’t restore the visitor’s IP not solve the problem, in most case you dont know your server is compromised, a options to disable send IP into server is the solution.
So… somebody breaches your system and your major concern is that their IP might be leaked? That’s non-sense, if you are that concerned about such a scenario simply don’t restore the visitor’s IP.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.