How do we handle getting/trusting the remote IP address? #187
Description
We use Flask's Request.remote_addr which is from Werkzeug:
That pulls it from the environment which is set by what? Should we be doing more in the library and/or docs for IP forwarding?
I didn't realize getting the "real" ip address of the client was so involved and potentially risky:
- https://news.ycombinator.com/item?id=44657527
- https://adam-p.ca/blog/2022/03/x-forwarded-for/
- https://werkzeug.palletsprojects.com/en/stable/middleware/proxy_fix/#module-werkzeug.middleware.proxy_fix
See also: https://flask-security.readthedocs.io/en/stable/quickstart.html#proxy-configuration