Skip to content

Harden client rate-limit partition fallback when RemoteIpAddress is unavailable #331

Description

@cdcavell

Summary

Improve the client rate-limiting partition key fallback used when HttpContext.Connection.RemoteIpAddress is unavailable.

Background

The current client partition key uses RemoteIpAddress?.ToString() ?? "unknown-client". While simple, the shared "unknown-client" fallback can cause unrelated requests to share the same rate-limit bucket if client IP resolution fails. In reverse-proxy/load-balancer scenarios, the more common risk is proxy aggregation when forwarded headers are not configured or trusted correctly.

Goals

  • Preserve use of ASP.NET Core Forwarded Headers Middleware as the trusted source of client IP resolution.
  • Avoid directly trusting raw X-Forwarded-For values inside the rate limiter.
  • Replace or make configurable the shared "unknown-client" fallback.
  • Add logging when the fallback path is used.
  • Document the importance of KnownProxies / KnownNetworks and middleware ordering.

Acceptance Criteria

  • Client IP partitioning continues to use HttpContext.Connection.RemoteIpAddress.
  • Fallback no longer silently collapses all unresolved clients into a single shared bucket unless explicitly configured.
  • A warning/debug log is emitted when client IP is unavailable.
  • Documentation notes that UseForwardedHeaders() must run before middleware that depends on client IP.
  • Documentation warns against trusting raw forwarded headers without trusted proxy configuration.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    Status
    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions