| const http = require("http"); | |
| const origCreate = http.createServer.bind(http); | |
| // Wrap Next standalone HTTP server: derive client IP from the TCP socket | |
| // (unspoofable) and strip client-supplied forwarding headers so downstream | |
| // rate-limiting keys on the real peer address instead of attacker-controlled XFF. | |
| http.createServer = (...args) => { | |
| const handler = args.find((a) => typeof a === "function"); | |
| const rest = args.filter((a) => typeof a !== "function"); | |
| if (!handler) return origCreate(...args); | |
| const wrapped = (req, res) => { | |
| const ip = req.socket && req.socket.remoteAddress ? req.socket.remoteAddress : ""; | |
| delete req.headers["x-9r-real-ip"]; | |
| delete req.headers["x-forwarded-for"]; | |
| req.headers["x-9r-real-ip"] = ip; | |
| return handler(req, res); | |
| }; | |
| return origCreate(...rest, wrapped); | |
| }; | |
| require("./server.js"); | |