1

I am writing a web application using PHP. For a certain endpoint, I want to validate whether the request was sent from inside the network. We use the 10.0.0.0/8 private range internally. Let's say the server is at 10.0.0.10.

Let's say $_SERVER['REMOTE_ADDR'] = 10.2.3.5, can I safely assume the request had to have come from inside the network (or an internal VLAN as the routers will have private addresses too)? Am I right in thinking that if it came from outside the network, this IP address would have to be a public address for the response to find its way back to the external network's router?

andrewJames
  • 19,570
  • 8
  • 19
  • 51
andrew1601
  • 11
  • 5
  • 1
    Probably. But if your network has a NAT gateway with forwarding rules, or a reverse proxy, or anything similar that is configured to pass external traffic internally. As a general rule try not to implicitly trust things like "anything inside this network" or "any employee at the company" further than you can throw them. – Sammitch Aug 22 '22 at 19:59
  • I would rely on the NAT gateway for ensuring this. – Rohit Gupta Aug 28 '22 at 23:56

0 Answers0