Don't trust the first item in the X-Forwarded-For header
Any security-related use of X-Forwarded-For (such as for rate limiting or IP-based access control) must only use IP addresses added by a trusted proxy. Using untrustworthy values can result in rate-limiter avoidance, access-control bypass, memory exhaustion, or other negative security or availability consequences.
-- MDN's X-Forwarded-For article
Short version:
* Do