Need detail

Security review: rate limiting bypass via header spoofing

Review the following code snippet for security vulnerabilities and suggest fixes. Code: ``` // Rate limiter using client IP import rateLimit from 'express-rate-limit'; const limiter = rateLimit({ windowMs: 60 * 1000, max: 100, keyGenerator: (req) => { // Trust forwarded IP for users behind load balancer return req.headers['x-forwarded-for'] as string || req.ip; }, }); ``` Focus areas: x-forwarded-for is client-controlled, allows rate limit bypass by spoofing header; must validate against trusted proxy list Deliverable: 1. List each vulnerability found with severity (Critical/High/Medium/Low) 2. Explain the attack vector for each vulnerability 3. Provide a corrected code snippet with the fixes applied 4. Rate the overall security posture of the code (1-10) Format: Markdown with numbered vulnerability sections.