Not sure if you had noticed that the official SAP documentation of “Access Control” policy was updated recently, now this documentation is reflecting the same warnings / cautions than in apigee related with the http header parameter “True-Client-IP” and how to ignore it in the policy using the parameter “IgnoreTrueClientIPHeader”.
New SAP Access Control policy documentation –> link
Let’s try it:
Imagine that you are using the Access Control policy to allow request only from “22.214.171.124”
Check your IP address in google:
Now open postman and add the following http header and perform a request:
Booom, you have access to the API!!!, you are telling to APIM that you are “126.96.36.199”, now if you read the documentation you can avoid this using the parameter “IgnoreTrueClientIPHeader” with value “true” in the policy:
Perform another test:
As you can see the default value for the property “IgnoreTrueClientIPHeader” in the policy is “false”, so you MUST take care of it.
This shows the importance of keeping the documentation up to date and that people read it 🙂