James Sulinski

@tyleryasaka > As far as the versioning - that's an npm thing, not a truffle thing. I was referring to the web3.js versioning, PR is here for 1.x: https://github.com/trufflesuite/truffle-contract/pull/95/commits @wanderingstan...

Also important for effective IP-based rate limiting.

8.1.x might be a good place for this.

Good call, I agree that 14.5 is a solid place for this. Perhaps: 14.5.6 "Verify that headers containing the user's IP address, such as X-Forwarded-For and/or X-Real-IP, include the true...

> what if headers contain the faked IP, but application just ignores them? The point is - application should use only trusted one. > > I throw some pieces here...

Here's another draft: Verify that the application is able to discern and utilizes the user's true IP address to provide data integrity and that rate limiting and logging use this...

Another idea here would be dropping 12.1.1 and modifying 12.1.3 to read: "Verify that file size and number restrictions are enforced per user to ensure that a single user cannot...

Any update here? This is a major problem which makes kube-lego basically unusable on 1.6 w/ RBAC enabled.

These two issues can likely be merged as this one is part of #1697 with a bit more detail. I'm not sure that detail is necessary, so could probably drop...

Good point and agreed.