I'm analyzing a stack of a public route that rests on an Elastic Load Balancer which opens a port exposed by PM2 that starts a node app using the koa module. At the moment, the IP is logged and that depends solely on the X-Forwarded-For header. If this header is manually created using curl, then the application will write that as the IP address.
Is there an easy way to prevent spoofing of this header or to setup AWS's ELB so it ignores manually inserted headers or is there a better way than the spoofable header to get the real IP address of the visitor?
From the documentation:
...the load balancer appends the client IP address to the existing header and passes the header to your server. The X-Forwarded-For request header may contain multiple IP addresses that are comma separated. The left-most address is the client IP where the request was first made. This is followed by any subsequent proxy identifiers, in a chain.
The first IP is the correct client IP.