remotePeer can be spoofed

[edmw]

Blindly trusting the Forwarded header allows anyone to spoof the origin IP. Common ways to address this security problem is to only trust Forwarded headers from trusted sources.

Examples of how to mitigate this problem: https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from

You should, at least, remove the comment stating that this value can be used security measures for now.