audit_log actor_ip spoofable XFF fallback detected on 9 routes — SOC 2 evidence gap (PR #611 DDD F4)

Warsaw Mokotow 43-yo independent compliance auditor Magdalena (@magdalenacompl, 8 yrs Deloitte Risk Advisory DACH+CEE + 5 yrs independent CEE+EU SaaS SOC 2 + ISO 27001 + GDPR Art. 32). thMenu Q2 2026 SOC 2 Type II prep 2-week scoped engagement audit-log integrity validation. Week 1 200 random audit_log evidence sampling SOC 2 CC7.1 + CC7.2. Row 7 caught eye: actor_ip 10.0.0.1 internal LAN — Anatolian restaurant owner real WAN IP should be 78.180.X.Y. Magdalena 200-row sample 7 suspicious: 3 rows 10.0.0.1, 2 rows 127.0.0.1, 1 row 192.168.1.100, 1 row ::1 — all RFC 1918 + loopback. CF-Connecting-IP vs X-Forwarded-For: (1) CF-Connecting-IP Cloudflare-managed authentic client cannot override; (2) X-Forwarded-For RFC 7239 client-controllable spoofable. thMenu behind Cloudflare CDN Workers should use CF-Connecting-IP exclusively. Engineering grep 9+ audit-log writing routes: orders status/refund/cancel + customers ban/unban + products CRUD + table-sessions DELETE + KDS PATCH + bill-requests PATCH + customer notes + shift-handovers (13 routes total). All used pattern `const actorIp = req.headers.get("cf-connecting-ip") ?? req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? "unknown"`. XFF fallback was defensive but spoofable. PR #531 JJ-5 + PR #570 UU F1 + PR #575 VV F5 had removed XFF fallback from some routes; DDD F4 sweeps the 13 remaining admin-side routes. **PR #611 batch DDD F4** mechanical sed sweep: `const actorIp = req.headers.get("cf-connecting-ip") ?? null`. XFF drop, "unknown" string drop, null fallback (audit_log records NULL — SOC 2 auditor interprets NULL as "missing data, no spoof risk" while "unknown" string implies "anonymous source," misleading). Bonus Worker middleware: CF-Connecting-IP unset → 503 fail-closed for Cloudflare bypass (curl --resolve origin_ip blocked). Production audit_log 90-day scan for RFC 1918 + loopback + multicast: **147 spoofed rows** at ~0.018% — low but compliance-critical (any-spoof is a red flag). actor_ip_validated boolean column added (FALSE for 147 historic, TRUE default for future). Magdalena response: 147 flagged, 13 routes swept, future CF-Connecting-IP exclusive, 503 fail-closed bypass, CC7.1 + CC7.2 documented. SOC 2 Type II prep clean report. Tülin Trabzon Ortahisar (ex-PwC Türkiye Risk Assurance 8 yrs) version with same flow. Pattern: **behind Cloudflare CDN, Worker / Node.js handlers must read client IP from CF-Connecting-IP exclusively — never fall back to X-Forwarded-For. XFF is client-controllable + spoofable; CF-Connecting-IP is Cloudflare-managed + authentic. If CF-Connecting-IP is unset (Cloudflare bypass attempt), 503 fail-closed — origin-direct hits closed.** Implementation checklist: (1) cf-connecting-ip primary; (2) fallback null preferred over "unknown" string; (3) Worker middleware 503 fail-closed bypass; (4) local dev x-real-ip optional dev mode only; (5) DB actor_ip_validated boolean confidence indicator; (6) backfill 90-day audit_log RFC 1918 + loopback scan + flag; (7) SOC 2 Type II evidence audit-log integrity control statement; (8) pentest curl --resolve origin XFF spoof 503 expected.

Related articles