IP in Source-Code and Frontend-Caches

  • Resolved Benjamin Birkenhake

    (@benjaminbirkenhake)


    10 months, 2 weeks ago

    Hi there again …

    we noticed that that plugin writes a Javascript Variable gdpr_compliant_recaptcha_ip in the Head containing the IP-Address of the User. That’s usually fine and understandable. Buuut … it leads to some problems within our setup.

    a) We use a Varnish as a Reverse-Frontend-Cache and the Plugin seems to work fine so far. But I don’t understand why, as every user gets the HTML of the visitor, who visited a given URL for the first time Varnish gets this URL. I’m surprised what that works, as there’s the wrong IP in den Head.

    b) Of course we don’t want to disclose the IP addresses of other user via the Varnish.

    c) We did notice that in the first place because the Javascript-Code of the Plugin is also on pages, where a comment form is includede, buuut … I didn’t configure the plugin to protect comment-forms. And as far as I can tell from reading the code, it actually adds the code behind add_script_to_header() in the stamp Class to every single page. Is that correct? And if so … is there any way the plugin allows me to deactivate that on certain pages/urls?

    Thanks again for any help in advance!

    Benjamin

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Matthias Nordwig

    (@matthiasnordwig)

    10 months, 2 weeks ago

    Cheers.

    That’s an interesting use case.

    Regarding a) and b): When a user loads the page, both their IP address and the hash assigned to them are statically stored in your cache under this setup. Every subsequent user is then interacting with those same data points instead of their own IP and individual hash. The proof-of-work still needs to be done based on this shared data, so technically it works – but, as you pointed out, this raises concerns from a privacy and data protection perspective.

    As for c): The script actually gets injected every time. I haven’t implemented a way yet to exclude it based on URL or page.

    I’ll probably need to switch to a dynamic method to fetch the IP and hash for a) and b). For c), I’ll look into it.

    Kind regards, Matthias

    Plugin Author Matthias Nordwig

    (@matthiasnordwig)

    10 months, 2 weeks ago

    Just to clarify: Both the IP address and the associated hash are already being dynamically generated by the plugin today. The static entries in the code are remnants from earlier versions and were kept as a fallback to ensure these values are present when the proof-of-work algorithm initiates. However, these two variables (lines 346 and 347) can safely be initialized as empty. This adjustment will be part of the next release and should resolve the data protection concern.

    Thread Starter Benjamin Birkenhake

    (@benjaminbirkenhake)

    10 months, 2 weeks ago

    Ah that’s great to know. Thanks again for the quick, kind and very helpful answer! 😀

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘IP in Source-Code and Frontend-Caches’ is closed to new replies.

Tags