Consider this. You've got an application which records users IP addresses when they access, say a PHP script. According to HTTP headers, you've generally got two ways of knowing the users IP. One is to use $_SERVER['REMOTE_ADDR'], and the other is $_SERVER['HTTP_X_FORWARDED_FOR']. Which do you trust the most?
What happens, say, you trusted HTTP_X_FORWARDED_FOR over REMOTE_ADDR, and someone indicated that using FireFox, it is trivial to spoof the former. Would you change your code to use REMOTE_ADDR, or would you argue that anyone can also spoof their REMOTE_ADDR using proxies and other such things?
I would be intrested in hearing your thoughts on this issue.