From 3499fd0d340ffc389e385efccdd9107d39deb31b Mon Sep 17 00:00:00 2001
From: isUnknown <adrien.payet@outlook.com>
Date: Sat, 21 Mar 2026 09:25:27 +0100
Subject: [PATCH] =?UTF-8?q?fix(security):=20rate=20limiting=20bas=C3=A9=20?=
 =?UTF-8?q?sur=20REMOTE=5FADDR=20uniquement?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

X-Forwarded-For est un header client spoofable, REMOTE_ADDR est l'IP TCP.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 site/config/routes/download-white-paper.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site/config/routes/download-white-paper.php b/site/config/routes/download-white-paper.php
index 05d6a5c..21bad77 100644
--- a/site/config/routes/download-white-paper.php
+++ b/site/config/routes/download-white-paper.php
@@ -25,7 +25,7 @@ return [
         }
 
         // ── Rate limiting (5 req / hour / IP) ─────────────────────
-        $ip       = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] ?? 'unknown';
+        $ip       = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
         $cacheKey = 'wp-dl-' . md5($ip);
         $cache    = kirby()->cache('pages');
         $hits     = (int)($cache->get($cacheKey) ?? 0);