diff --git a/docs/ja-JP/skills/quarkus-security/SKILL.md b/docs/ja-JP/skills/quarkus-security/SKILL.md index 8c6016db..cd19f41c 100644 --- a/docs/ja-JP/skills/quarkus-security/SKILL.md +++ b/docs/ja-JP/skills/quarkus-security/SKILL.md @@ -286,14 +286,20 @@ quarkus.vault.authentication.kubernetes.role=my-role ## レート制限 +**セキュリティ注意**: `X-Forwarded-For`を直接使用しないでください — クライアントが偽装できます。 +サーブレットリクエストの実際のリモートアドレス、または認証済みIDを使用してください。 + ```java @ApplicationScoped public class RateLimitFilter implements ContainerRequestFilter { private final Map limiters = new ConcurrentHashMap<>(); + @Inject + HttpServletRequest servletRequest; + @Override public void filter(ContainerRequestContext requestContext) { - String clientId = getClientIdentifier(requestContext); + String clientId = getClientIdentifier(); RateLimiter limiter = limiters.computeIfAbsent(clientId, k -> RateLimiter.create(100.0)); // 1秒あたり100リクエスト @@ -306,9 +312,10 @@ public class RateLimitFilter implements ContainerRequestFilter { } } - private String getClientIdentifier(ContainerRequestContext ctx) { - // IP、APIキー、またはユーザーIDを使用 - return ctx.getHeaderString("X-Forwarded-For"); + private String getClientIdentifier() { + // コンテナ提供のリモートアドレスを使用(X-Forwarded-Forではない)。 + // 信頼できるプロキシの背後にある場合はquarkus.http.proxy.proxy-address-forwarding=trueを設定。 + return servletRequest.getRemoteAddr(); } } ``` diff --git a/docs/tr/skills/quarkus-security/SKILL.md b/docs/tr/skills/quarkus-security/SKILL.md index f0b46305..8f1296ea 100644 --- a/docs/tr/skills/quarkus-security/SKILL.md +++ b/docs/tr/skills/quarkus-security/SKILL.md @@ -333,14 +333,20 @@ public class SecretService { ## Rate Limiting (Hız Sınırlama) +**Güvenlik Notu**: `X-Forwarded-For` doğrudan kullanmayın — istemciler bunu taklit edebilir. +Servlet request'ten gerçek uzak adresi veya kimliği doğrulanmış bir kimlik (API anahtarı, JWT subject) kullanın. + ```java @ApplicationScoped public class RateLimitFilter implements ContainerRequestFilter { private final Map limiters = new ConcurrentHashMap<>(); + @Inject + HttpServletRequest servletRequest; + @Override public void filter(ContainerRequestContext requestContext) { - String clientId = getClientIdentifier(requestContext); + String clientId = getClientIdentifier(); RateLimiter limiter = limiters.computeIfAbsent(clientId, k -> RateLimiter.create(100.0)); // Saniyede 100 istek @@ -353,9 +359,10 @@ public class RateLimitFilter implements ContainerRequestFilter { } } - private String getClientIdentifier(ContainerRequestContext ctx) { - // IP, API anahtarı veya kullanıcı ID'si kullanın - return ctx.getHeaderString("X-Forwarded-For"); + private String getClientIdentifier() { + // Konteyner tarafından sağlanan uzak adresi kullanın (X-Forwarded-For değil). + // Güvenilir proxy arkasındaysanız quarkus.http.proxy.proxy-address-forwarding=true ayarlayın. + return servletRequest.getRemoteAddr(); } } ``` diff --git a/skills/quarkus-security/SKILL.md b/skills/quarkus-security/SKILL.md index 35b80045..99f91390 100644 --- a/skills/quarkus-security/SKILL.md +++ b/skills/quarkus-security/SKILL.md @@ -333,14 +333,21 @@ public class SecretService { ## Rate Limiting +**Security Note**: Never use `X-Forwarded-For` directly — clients can spoof it. +Use the actual remote address from the servlet request, or an authenticated +identity (API key, JWT subject) when available. + ```java @ApplicationScoped public class RateLimitFilter implements ContainerRequestFilter { private final Map limiters = new ConcurrentHashMap<>(); + @Inject + HttpServletRequest servletRequest; + @Override public void filter(ContainerRequestContext requestContext) { - String clientId = getClientIdentifier(requestContext); + String clientId = getClientIdentifier(); RateLimiter limiter = limiters.computeIfAbsent(clientId, k -> RateLimiter.create(100.0)); // 100 requests per second @@ -353,9 +360,11 @@ public class RateLimitFilter implements ContainerRequestFilter { } } - private String getClientIdentifier(ContainerRequestContext ctx) { - // Use IP, API key, or user ID - return ctx.getHeaderString("X-Forwarded-For"); + private String getClientIdentifier() { + // Use the container-provided remote address (not X-Forwarded-For). + // If behind a trusted proxy, configure quarkus.http.proxy.proxy-address-forwarding=true + // so getRemoteAddr() returns the real client IP. + return servletRequest.getRemoteAddr(); } } ```