Andrew, you raised a good point. Which is easily addressed by checking the `ProxyIPs' parameter (let's call it that).
Specifically, in light of your concern, I propose to add a `ProxyIPs' parameter whose initial value is `null'. The `null' value disables checking for `X-SSL-Request' headers and thus avoids spoofing. Setting the `ProxyIPs' parameter -which should be a space separated list- enables acceptance of `X-SSL-Request' headers.
On a related note, AFAIK AOLserver will always log the `X-Forwarded-For' IP address, whether the `ProxyIPs' parameter has been set or not. There is little harm in this other than that it makes it harder to track mallicious visitors.
/Bart
