Skip to content

Trust all proxies instead of Cloudflare-specific IP ranges #27

Description

@Devsome

Currently bootstrap/app.php configures trusted proxies with a hardcoded list of Cloudflare IP addresses and ranges. This breaks correct IP detection and HTTPS handling when the application runs behind other reverse proxies (e.g., different CDN providers, load balancers, or local development tools).

We need to replace the explicit Cloudflare list with a wildcard (*) to trust all proxies. This simplifies configuration and ensures compatibility with any proxy environment. Security note: The application should only be placed behind proxies that are trusted; using * trusts every proxy, which is safe if the server itself is not directly exposed to untrusted clients.

Acceptance criteria:

  • In bootstrap/app.php, the $middleware->trustProxies(at: ...) call is changed to $middleware->trustProxies(at: '*').
  • The application correctly resolves client IPs and X-Forwarded-Proto headers when accessed through any standard reverse proxy.
  • No hardcoded IP ranges remain.

Metadata

Metadata

Assignees

Labels

featureNew feature or request

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions