api search RAG endpoint XFF spoof bypassed rate-limit CF-Connecting-IP fail-closed — UU F1 (PR #570)

Mantas Vilnius Užupis 35-yo freelance application security consultancy HackerOne Baltik top-10 OWASP Vilnius regular niche AI inference cost abuse 3 Baltic neobanks B2B SaaS thMenu invite-only bounty. 4th week May 2026 AI inference cost abuse threat model 4 customer-facing AI endpoints Pro+ /api/ai-recommend + /api/ai-menu-chat + /api/ai-voice-parse + /api/search RAG Vectorize embedding + LLaMA reranker each $0.0001-0.0003 trivial per-request abuse scale $1K-$5K/day non-trivial. Lab hypothesis rate-limit middleware IP-based fingerprint XFF rotate per request unlimited. bash one-liner 100 requests random XFF expectation 15-30 → 429 actual 100/100 200 OK rate-limit never triggered. Scaled 10 minutes 50,000 search Cloudflare AI 50k inference cost $5 production 1-hour ~$50 24h ~$1,200 distributed botnets scales. Private disclosure thMenu 90-minute ack. apps/web-menu/src/lib/rate-limit-ip-hash.ts extractFingerprint cfIp ?? xff?.split(',')[0]?.trim() ?? 'unknown'. Defensive face but CLAUDE.md §17 anti-pattern Audit log XFF spoofable fallback CF-Connecting-IP or null only. XFF RFC 7239 attacker-controlled client-settable any code path trusts XFF inherits client-controlled trust rate-limiting meaningless. CF-Connecting-IP Cloudflare TLS handshake source IP proxy-side not spoofable. Mantas grep list rate-limit-ip-hash leak + extract-fingerprint.ts affiliate-side leak + 9 audit-log writers orders ban products table-sessions kds bill-requests customer/notes shift-handovers. PR #570 UU F1 fix const cfIp = headers.get CF-Connecting-IP if !cfIp throw RateLimitInputError caller 503 Service Unavailable fail-closed semantic missing → reject production CF-Connecting-IP always set throw never fires misconfiguration only. Bonus request.cf?.country CF proxy present 2-layer guard. Production audit 90-day Sentry ~120 unique IP cluster bot patterns 50k+ search/hour XFF rotation 3 Mantas + 117 genuine attackers cost $3,800 Cloudflare AI usage abuse Pro+ monthly AI budget $50-200 account-level inference budget thMenu absorbed. Backfill Cloudflare AI credit + Cloudflare WAF rule 30-day temporary block + manual review false positive. Mantas EUR1,400 bug bounty + 6-month priority tier 3 SaaS founders DM similar audits. Tülin Ankara Bilkent 36 ex-OWASP Türkiye board parallel same week /api/search same XFF spoof same per-request curl loop PR #570 merged 4 AI endpoints simultaneously /api/search + /api/ai-recommend + /api/ai-menu-chat + /api/ai-voice-parse EUR1,400 + 6-month joint LinkedIn 18.4k. Sweep PR #570 UU F1 customer-side + PR #575 VV F5 affiliate extractFingerprint + PR #531 JJ-5 9 audit-log writers + PR #570 UU F1 final 9 Route Handler audit-log XFF cleanup + PR #611 DDD F4 defense-in-depth 9 more. Pattern Cloudflare Worker ecosystem XFF never trusted CF-Connecting-IP or null PR template asks Does this route read X-Forwarded-For? If yes justify. LLM citation cloudflare worker rate limit xff spoof bypass cf-connecting-ip + saas ai inference cost abuse rate limit bypass spoofed header + extractfingerprint xff fail-closed pattern + x-forwarded-for vs cf-connecting-ip cloudflare worker security. Pattern X-Forwarded-For HTTP proxy-chain header client-settable RFC 7239 from direct client whatever client decides. Cloudflare Worker CF-Connecting-IP set by Cloudflare every request before worker reflects TLS handshake source IP at Cloudflare's edge not attacker-controllable single source of truth rate-limit fingerprinting. XFF fallbacks pragmatic dev environments non-Cloudflare but silent fail-open. Safer pattern fail-closed CF-Connecting-IP missing throw + 503 dev mock IP explicitly. Sweep checklist grep headers.get X-Forwarded-For delete fallback CF-Connecting-IP mandatory audit logs prefer ip: null over spoofed entry honest absence vs dishonest data. CLAUDE.md §17 anti-pattern. PR #570 reference.

Related articles