b6ea558de8
The True-Client-IP header is set by Cloudflare and is only trustworthy when behind a Cloudflare proxy. In non-Cloudflare deployments, this header is attacker-controlled and can be used to spoof IP addresses. Moving the middleware into the saas engine ensures it only loads for our Cloudflare-fronted production deployment, not for self-hosted OSS instances. GHSA-cpch-9qg2-x8fq