From e29584258bc1a5c55bd6802cd084010d88ef8373 Mon Sep 17 00:00:00 2001
From: root <root@Sora39.localdomain>
Date: Sat, 25 Apr 2026 11:45:22 +0800
Subject: [PATCH] docs: update tasktracking with CF-Connecting-IP trust

---
 .../2026-04-25-fix-login-ratelimit-and-ip-spoofing.md         | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/Tasktracking/2026-04-25-fix-login-ratelimit-and-ip-spoofing.md b/docs/Tasktracking/2026-04-25-fix-login-ratelimit-and-ip-spoofing.md
index 7c8288ee..d6c48236 100644
--- a/docs/Tasktracking/2026-04-25-fix-login-ratelimit-and-ip-spoofing.md
+++ b/docs/Tasktracking/2026-04-25-fix-login-ratelimit-and-ip-spoofing.md
@@ -15,4 +15,6 @@
 - `web/middleware/ratelimit.go` — use RemoteAddr in rate limiter
 
 ## Note
-If the panel runs behind a reverse proxy, `RemoteAddr` will show the proxy IP. To restore header-based IP detection, configure `engine.SetTrustedProxies()` in `web/web.go` with the proxy's IP.
+- Trusts Cloudflare's `CF-Connecting-IP` header (CF overwrites it, clients cannot spoof)
+- Falls back to `RemoteAddr` for direct connections without CDN
+- `X-Real-IP` / `X-Forwarded-For` are NOT trusted (can be spoofed by clients)