Currently bootstrap/app.php configures trusted proxies with a hardcoded list of Cloudflare IP addresses and ranges. This breaks correct IP detection and HTTPS handling when the application runs behind other reverse proxies (e.g., different CDN providers, load balancers, or local development tools).
We need to replace the explicit Cloudflare list with a wildcard (*) to trust all proxies. This simplifies configuration and ensures compatibility with any proxy environment. Security note: The application should only be placed behind proxies that are trusted; using * trusts every proxy, which is safe if the server itself is not directly exposed to untrusted clients.
Acceptance criteria:
- In
bootstrap/app.php, the $middleware->trustProxies(at: ...) call is changed to $middleware->trustProxies(at: '*').
- The application correctly resolves client IPs and
X-Forwarded-Proto headers when accessed through any standard reverse proxy.
- No hardcoded IP ranges remain.
Currently
bootstrap/app.phpconfigures trusted proxies with a hardcoded list of Cloudflare IP addresses and ranges. This breaks correct IP detection and HTTPS handling when the application runs behind other reverse proxies (e.g., different CDN providers, load balancers, or local development tools).We need to replace the explicit Cloudflare list with a wildcard (
*) to trust all proxies. This simplifies configuration and ensures compatibility with any proxy environment. Security note: The application should only be placed behind proxies that are trusted; using*trusts every proxy, which is safe if the server itself is not directly exposed to untrusted clients.Acceptance criteria:
bootstrap/app.php, the$middleware->trustProxies(at: ...)call is changed to$middleware->trustProxies(at: '*').X-Forwarded-Protoheaders when accessed through any standard reverse proxy.