From d8a88fc57a9c1e505d78386039ef281b7f51fabc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9on=20Melis?= <leon@leonmelis.nl>
Date: Fri, 26 Sep 2025 13:33:42 +0200
Subject: [PATCH] Scrub PII exposed by Cloudflare proxy services

CloudFlare's proxy services are known to inject 'CF-Connecting-IP' header in the request, which contains the real IP address of the requester. This header seems to have similar functionality as 'X-Forwarded-For' and/or 'X-Real-IP'.

As with X-Real-IP and X-Forwarded-For, the IP-address contained in the header is considered PII and should be scrubbed by default.

See also: https://developers.cloudflare.com/fundamentals/reference/http-headers/
---
 src/Integration/RequestIntegration.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Integration/RequestIntegration.php b/src/Integration/RequestIntegration.php
index 72e17ac77..14885d773 100644
--- a/src/Integration/RequestIntegration.php
+++ b/src/Integration/RequestIntegration.php
@@ -59,6 +59,7 @@ final class RequestIntegration implements IntegrationInterface
         'Set-Cookie',
         'X-Forwarded-For',
         'X-Real-IP',
+        'CF-Connecting-IP',
     ];
 
     /**