Unless someone manipulates your TCP stack it is fully trustable.
it basically is an analysis of the network stack from the IIS layer on whether the request originated locally - most likely by coming from a 127.0.0.x address (yes, localhost is the whole at that time C network, not just 127.0.0.1).
There is no way to establish a TCp connection with a fake origin, so this data can be trusted.
http://forums.asp.net/t/1065813.aspx/1
indicates via decompiling it checks on 127.0.0.1 and ::1 - both are the common localhost addresses.
Again, and still, this is totally not fakeable unless you manipualte the network stack or the .net framework classes.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…