```

This handshake is successful because each party has prearranged to trust the root certificate that
signs the other party's chain.

Well-Known Certificate Authorities
----------------------------------

In these examples we've prearranged which root certificates to trust. But for regular HTTPS on the
Internet this set of trusted root certificates is usually provided by default by the host platform.

              //    chain
              // We can only do this for Trusted, because Trusted implementations of cancel do
              // nothing but delegate to this method and do not permit user overrides.
              AbstractFuture<?> trusted = (AbstractFuture<?>) futureToPropagateTo;
              localValue = trusted.value();
              if (localValue == null | localValue instanceof DelegatingToFuture) {

///

Nevertheless, as the **application server** doesn't know it is behind a trusted **proxy**, by default, it wouldn't trust those headers.

But you can configure the **application server** to trust the *forwarded* headers sent by the **proxy**. If you are using FastAPI CLI, you can use the *CLI Option* `--forwarded-allow-ips` to tell it from which IPs it should trust those *forwarded* headers.

Use [CertificatePinner](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-certificate-pinner/) to restrict which certificates and certificate authorities are trusted. Certificate pinning increases security, but limits your server team’s abilities to update their TLS certificates. **Do not use certificate pinning without the blessing of your server’s TLS administrator!**

You can start FastAPI CLI with the *CLI Option* `--forwarded-allow-ips` and pass the IP addresses that should be trusted to read those forwarded headers.

If you set it to `--forwarded-allow-ips="*"` it would trust all the incoming IPs.

If your **server** is behind a trusted **proxy** and only the proxy talks to it, this would make it accept whatever is the IP of that **proxy**.

<div class="termy">

```console

 * They don't specify whether a specific proxy server should be used or how to authenticate with that proxy server.

## Previous tools { #previous-tools }

### [Django](https://www.djangoproject.com/) { #django }

It's the most popular Python framework and is widely trusted. It is used to build systems like Instagram.

rate.limit.whitelist.ips=127.0.0.1,::1
# Comma-separated list of blocked IPs.
rate.limit.blocked.ips=
# Comma-separated list of trusted proxy IPs. Only trust X-Forwarded-For/X-Real-IP from these IPs.
rate.limit.trusted.proxies=127.0.0.1,::1
# Number of requests between cleanup operations to prevent memory leaks.
rate.limit.cleanup.interval=1000

# Virtual Host: Host:fess.codelibs.org=fess

     */
    Integer getRateLimitBlockedIpsAsInteger();

    /**
     * Get the value for the key 'rate.limit.trusted.proxies'. <br>
     * The value is, e.g. 127.0.0.1,::1 <br>
     * comment: Comma-separated list of trusted proxy IPs. Only trust X-Forwarded-For/X-Real-IP from these IPs.
     * @return The value of found property. (NotNull: if not found, exception but basically no way)
     */

     * Even if empty string, treated as empty plainly. So "IF pmb != null" is false if empty.
     * @param level The parameter value of level. (NotNull)
     */
    public void setLevel(String level) {
        registerVariable("level", level);
    }

    /**
     * Set the value of hostname, used in parameter comment. <br>
     * Even if empty string, treated as empty plainly. So "IF pmb != null" is false if empty.