Audit-log rows da actor_ip spoofable XFF fallback 9 route da tespit ettim — SOC 2 evidence (PR #611 DDD F4)

Trabzon Ortahisar 44-yas bagimsiz compliance auditor Tulin (8 yil PwC Turkiye Risk Assurance + 5 yil bagimsiz Turkiye+Avrupa SaaS SOC 2 + ISO 27001 + GDPR Art. 32). thMenu Q2 2026 SOC 2 Type II prep 2-haftalik scoped engagement audit-log integrity validation. Week 1 200 row random audit_log evidence sampling SOC 2 CC7.1 anomaly detection + CC7.2 incident response monitoring. 7. row gozune carpti: actor_ip 10.0.0.1 internal LAN — Anatolia restaurant owner WAN IP 78.180.X.Y olmali. Tulin 200 row 7 suspicious: 3 row 10.0.0.1, 2 row 127.0.0.1, 1 row 192.168.1.100, 1 row ::1 — hepsi RFC 1918 + loopback. CF-Connecting-IP vs X-Forwarded-For: (1) CF-Connecting-IP Cloudflare-managed authentic client cannot override; (2) X-Forwarded-For RFC 7239 client-controllable spoofable. thMenu Cloudflare CDN arkasinda Worker CF-Connecting-IP exclusive olmali. Engineering 9+ audit-log writing route grep: orders status/refund/cancel + customers ban/unban + products CRUD + table-sessions DELETE + KDS PATCH + bill-requests PATCH + customer notes/notes detail + shift-handovers POST/PATCH (13 toplam route). Hepsi pattern `const actorIp = req.headers.get("cf-connecting-ip") ?? req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? "unknown"`. XFF fallback defensive ama spoofable. PR #531 JJ-5 + PR #570 UU F1 + PR #575 VV F5 onceki batch lerde bazi route lardan XFF kaldirilmis, DDD F4 13 admin-side route sweep. **PR #611 batch DDD F4** sed sweep mechanical: `const actorIp = req.headers.get("cf-connecting-ip") ?? null`. XFF drop, "unknown" string drop, null fallback (audit_log NULL kaydedilir SOC 2 auditor "missing data no spoof risk" interpret, "unknown" string "anonymous source" implication misleading). Bonus Worker middleware CF-Connecting-IP unset 503 fail-closed Cloudflare bypass (curl --resolve origin_ip) blocked. Production audit_log 90-gun RFC 1918 + loopback scan: **147 row spoofed** %0.018 dusuk ama compliance kritik any-spoof red flag. actor_ip_validated boolean column eklendi (FALSE 147 historic rows, TRUE default future). Tulin response: 147 spoofed flag, 13 route fallback drop, future CF-Connecting-IP exclusive, 503 fail-closed bypass, CC7.1 + CC7.2 documented. SOC 2 Type II prep clean report. Magdalena Warsaw Mokotow ex-Deloitte Risk Advisory DACH+CEE version ayni flow. Pattern: **Cloudflare CDN arkasindaki Worker / Node.js handler lar client IP CF-Connecting-IP exclusive; X-Forwarded-For asla fallback yapma; XFF client-controllable spoofable. CF-Connecting-IP unset 503 fail-closed origin-direct-hit kapali.** Implementation checklist: (1) cf-connecting-ip primary; (2) fallback null mi unknown mi (null tercih); (3) Worker middleware 503 fail-closed bypass; (4) local dev x-real-ip optional dev mode only; (5) DB actor_ip_validated boolean confidence indicator; (6) backfill 90-gun audit_log RFC 1918 + loopback scan + flag; (7) SOC 2 Type II evidence audit-log integrity control statement; (8) pentest curl --resolve origin XFF spoof 503 expected.

İlgili makaleler