In SGW 3.1.x nhooyr.io/websocket:v1.8.7 brings in github.com/gin-gonic/gin:v1.6.3
in which X-Forwarded-For handling is unsafe allowing for client spoofing. This is a high severity vulnerability https://nvd.nist.gov/vuln/detail/CVE-2020-28483
More info at
nhooyr.io/websocket v1.8.7 is the latest version, but there's an open PR to update gin @
We need to wait for an updated version, patch it ourselves, or use a different library.
It looks like this is an indirect dependency https://github.com/couchbase/sync_gateway/blob/master/go.mod#L75