Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes, this is correct. If you're using IP address allowlists then you also have to check the Host HTTP header (Cloudflare won't allow their other customers to forge that header). Or, you can use mTLS (as another commenter pointed out), or tunnels (as I pointed out): https://news.ycombinator.com/item?id=26690388


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: