Yes, looks like allowed_sync_hosts should not be considered a security feature (the shared key is what provides security, IP source is pretty spoofable anyway), at best it should be considered a way to catch misconfigurations (among the trusted that know the shared secret).
Yes, looks like allowed_sync_hosts should not be considered a security feature (the shared key is what provides security, IP source is pretty spoofable anyway), at best it should be considered a way to catch misconfigurations (among the trusted that know the shared secret).
I agree that it should be documented, though.