Laravel Trusted Proxies Wildcard: How to Configure TrustProxies Middleware Correctly

Setting TrustProxies to trust all proxies (*) lets attackers spoof IP addresses and bypass rate limiting, IP-based access controls, and audit logging.

Medium severity Infrastructure Security Updated 2026-05-01

The Problem

Laravel's TrustProxies middleware reads headers like X-Forwarded-For and X-Forwarded-Proto to determine the real client IP and protocol when behind a load balancer. Setting the trusted proxies to * (wildcard) means your application trusts these headers from any source — including attackers. This allows IP spoofing: an attacker can send X-Forwarded-For: 127.0.0.1 to bypass IP-based rate limiting, access controls, and audit logging.

How to Fix

Identify your actual proxy IP addresses

Determine the IP addresses of your load balancers and reverse proxies:

# AWS ALB/ELB — use CIDR ranges
# Check: https://ip-ranges.amazonaws.com/ip-ranges.json

# Cloudflare — published IP ranges
# Check: https://www.cloudflare.com/ips/

# Single reverse proxy (Nginx on same server)
# Usually 127.0.0.1

# Laravel Forge with Nginx
# Usually 127.0.0.1

Configure specific proxy IPs in the middleware

In app/Http/Middleware/TrustProxies.php (Laravel 10) or bootstrap/app.php (Laravel 11+):

// Laravel 11+ in bootstrap/app.php
->withMiddleware(function (Middleware $middleware) {
    $middleware->trustProxies(
        at: ['192.168.1.1', '10.0.0.0/8'],
        headers: Request::HEADER_X_FORWARDED_FOR |
                 Request::HEADER_X_FORWARDED_HOST |
                 Request::HEADER_X_FORWARDED_PORT |
                 Request::HEADER_X_FORWARDED_PROTO
    );
})

// Laravel 10 in app/Http/Middleware/TrustProxies.php
protected $proxies = ['192.168.1.1', '10.0.0.0/8'];

For cloud platforms where proxy IPs change, use the specific platform approach rather than *.

Handle dynamic proxy IPs on cloud platforms

On platforms like AWS or Google Cloud where proxy IPs rotate:

// Laravel Vapor — automatically configured, no changes needed

// AWS with ALB — trust the VPC CIDR
protected $proxies = ['10.0.0.0/8', '172.16.0.0/12'];

// Cloudflare — use the fideloper/proxy package or list their IPs
protected $proxies = [
    '173.245.48.0/20', '103.21.244.0/22', '103.22.200.0/22',
    '103.31.4.0/22', '141.101.64.0/18', '108.162.192.0/18',
    '190.93.240.0/20', '188.114.96.0/20', '197.234.240.0/22',
    '198.41.128.0/17', '162.158.0.0/15', '104.16.0.0/13',
    '104.24.0.0/14', '172.64.0.0/13', '131.0.72.0/22',
];

Keep these ranges updated as providers add new IPs.

How to Verify

Test IP spoofing:

curl -H 'X-Forwarded-For: 1.2.3.4' https://yourapp.com/api/me

The returned IP should be your actual IP, not 1.2.3.4, unless the request came through your actual proxy. Run php artisan stackshield:scan --check=SS045 to verify.

Prevention

Never use * for trusted proxies in production. Document your infrastructure proxy IPs. Update proxy IP lists when changing cloud providers or CDN configurations. Use StackShield to monitor for wildcard proxy configurations.

Frequently Asked Questions

What if I don't know my proxy IPs?

Check your hosting provider documentation. For Laravel Forge: 127.0.0.1. For AWS ALB: your VPC CIDR range. For Cloudflare: their published IP list. You can also check access logs to see which IPs are connecting to your application.

Is trusting all proxies safe behind Cloudflare?

No. Even behind Cloudflare, attackers can bypass CDN and connect directly to your origin server if they discover its IP. In that case, trusting * means they can spoof headers. Always restrict to Cloudflare's published IP ranges.

Related Security Terms

Rate Limiting

Related Guides

High

Detect This Automatically with StackShield

StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.

Start Free Trial