I'm aware that this question has been asked before, but I haven't found a satisfactory solution that takes into account security concerns. In my Node.js backend application, which operates over HTTPS, I need to retrieve the user's real IP address, considering that the user can potentially modify headers, use proxies/VPNs, or employ malicious 3rd-party tools for IP spoofing.
Currently, I'm using standard request headers like X-Forwarded-For, and I discovered that setting the remote address inside the webserver (e.g., nginx) using proxy_set_header X-Real-IP $remote_addr might be useful. However, I'm aware that these headers can be manipulated by the client. Additionally, some users might be behind proxies or VPNs, which can further obfuscate their real IP address.
Given these security challenges, I'm looking for a robust method or a combination of techniques to accurately obtain the real IP address of the user while mitigating the risks posed by header modification, proxies, VPNs, and spoofing attempts.
Any guidance, best practices, or code examples that can enhance the security of IP retrieval in such scenarios would be greatly appreciated.
Thank you!
