X-Forwarded-For – HTTP – MDN Web Docs
The X-Forwarded-For (XFF) header is a de-facto standard
header for identifying the originating IP address of a client connecting to a web server
through an HTTP proxy or a load balancer. When traffic is intercepted between clients
and servers, server access logs contain the IP address of the proxy or load balancer
only. To see the original IP address of the client, the X-Forwarded-For
request header is used.
This header is used for debugging, statistics, and generating location-dependent
content and by design it exposes privacy sensitive information, such as the IP address
of the client. Therefore the user’s privacy must be kept in mind when deploying this
A standardized version of this header is the HTTP Forwarded header.
X-Forwarded-For is also an email-header indicating that an email-message
was forwarded from another account.
Forbidden header name
The client IP address
proxy is listed. This means, the right-most IP address is the IP address of the most
recent proxy and the left-most IP address is the IP address of the originating client.
X-Forwarded-For: 203. 0. 113. 195
X-Forwarded-For: 203. 195, 70. 41. 3. 18, 150. 172. 238. 178
Other non-standard forms:
# Used for some Google services
X-ProxyUser-Ip: 203. 19
Not part of any current specification. The standardized version of this header is
Browser compatibilityBCD tables only load in the browserSee also
HTTP headers and Classic Load Balancers – AWS …
HTTP requests and HTTP responses use header fields to send information about the HTTP
messages. Header fields are colon-separated name-value pairs that are separated by
carriage return (CR) and a line feed (LF). A standard set of HTTP header fields is
defined in RFC 2616, Message Headers. There are also non-standard HTTP headers
available (and automatically added) that are widely used by the applications. Some
the non-standard HTTP headers have an X-Forwarded prefix. Classic Load Balancers support
the following X-Forwarded headers.
For more information about HTTP connections, see Request
routing in the Elastic Load Balancing User Guide.
Confirm that your listener settings support the X-Forwarded headers. For more
information, see Listener configurations for
Classic Load Balancers.
Configure your web server to log client IP addresses.
The X-Forwarded-For request header is automatically added and helps
you identify the IP address of a client when you use an HTTP or HTTPS load balancer.
Because load balancers intercept traffic between clients and servers, your server
access logs contain only the IP address of the load balancer. To see the IP address
of the client, use the X-Forwarded-For request header. Elastic Load Balancing stores the
IP address of the client in the X-Forwarded-For request header and
passes the header to your server. If the X-Forwarded-For request header
is not included in the request, the load balancer creates one with the client IP
address as the request value. Otherwise, the load balancer appends the client IP
address to the existing header and passes the header to your server. The
X-Forwarded-For request header may contain multiple IP addresses
that are comma separated. The left-most address is the client IP where the request
was first made. This is followed by any subsequent proxy identifiers, in a
The X-Forwarded-For request header takes the following form:
The following is an example X-Forwarded-For request header for a
client with an IP address of 203. 0. 113. 7.
X-Forwarded-For: 203. 7
client with an IPv6 address of
The X-Forwarded-Proto request header helps you identify the protocol
(HTTP or HTTPS) that a client used to connect to your load balancer. Your server
access logs contain only the protocol used between the server and the load balancer;
they contain no information about the protocol used between the client and the load
balancer. To determine the protocol used between the client and the load balancer,
use the X-Forwarded-Proto request header. Elastic Load Balancing stores the protocol
used between the client and the load balancer in the X-Forwarded-Proto
request header and passes the header along to your server.
Your application or website can use the protocol stored in the
X-Forwarded-Proto request header to render a response that
redirects to the appropriate URL.
The X-Forwarded-Proto request header takes the following form:
The following example contains an X-Forwarded-Proto request header
for a request that originated from the client as an HTTPS request:
The X-Forwarded-Port request header helps you identify the
destination port that the client used to connect to the load balancer.
Security Rule Zero: A Warning about X-Forwarded-For – F5 Networks
Proxies operate on the premise that they exist to forward requests from one system to another. They generally add some value – otherwise they wouldn’t be in the middle – like load balancing (scale), data leak prevention (security), or compression (performance).
The thing is that the request sent by the client is otherwise passed, unmodified, to its target destination.
Here’s where things can get dicey. Today, we see more than half of all apps delivered via a proxy make use of X-Forwarded-For. 56% of real, live apps are using it, which makes it a pretty significant piece of data. X-Forwarded-For is the custom HTTP header that carries along the original IP address of a client so the app at the other end knows what it is. Otherwise it would only see the proxy IP address, and that makes some apps angry.
That’s because a good number of applications rely on knowing the actual IP address of a client to help prevent fraud and enable access. If you’ve logged into your bank, or Gmail, or your Xbox account lately (hey, it’s where Minecraft lives, okay? ) from a device other than the one you typically use, you might have gotten a security warning. Because the information about where you log in from is also tracked, in part to detect attempted fraud and misuse.
Your actual IP address is also used to allow or deny access in some systems, and as a means of deducing your physical location. That’s why those e-mail warnings often include “was that you logging in from Bulgaria? ”
Some systems also use X-Forwarded-For to enforce access control. WordPress, for example, uses the. htaccess file to allowlist access based on IP addresses. No, it’s not the best solution, but it’s a common one, and you have to at least give them props for trying to provide some app protection against misuse.
Irrespective of whether it’s a good idea or not, if you’re going to use X-Forwarded-For as part of your authentication or authorization scheme, you should probably make a best effort attempt to ensure it’s actually the real client IP address. It is one of the more commonly used factors in the overall security equation; one that protects the consumer as much as it does corporate interests.
But if you are blindly accepting whatever the client sends you in that header, you might be enabling someone to spoof the value and thereby bypass security mechanisms meant to prevent illegitimate access. I can spoof just about anything I want, after all, by writing a few lines of code or grabbing one of the many Chrome plug-ins that enables me to manipulate HTTP headers with ease.
One of the ways to ensure that you’re getting the actual IP address is to not trust user input. Yes, there’s that Security Rule Zero again. Never trust user input. And we know that HTTP headers are user input, whether they appear to be or not.
If you’ve got a proxy already, great. If not, you should get one. Because that’s how you extract and put the right value in X-Forwarded-For and stop spoofers in their tracks.
Basically, you want your proxy to be able to reach into a request and find the actual, IP address that’s hidden in its IP packet. Some proxies can do that with configuration or policies, others require some programmatic magic. However you get it, that’s the value you put into the X-Forwarded-For HTTP header, and proceed as normal. Doing so ensures that the apps or downstream services have accurate information on which to make their decisions, including those regarding access and authorization.
For most architectures and situations, this will mitigate the possibility of a spoofed X-Forwarded-For being used to gain unauthorized access. As always, the more pieces of information you have to form an accurate understanding of the client – and its legitimacy – the better your security. Combining IP address (in the X-Forwarded-For) with device type, user-agents, and other tidbits automatically carried along in HTTP and network protocols provides a more robust context in which to make an informed decision.
Resources for handling X-Forwarded-For:
With a BIG-IP
Frequently Asked Questions about http x forwarded for
WHO adds X-Forwarded-For?
The X-Forwarded-For request header is automatically added and helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer.
What is my IP X-Forwarded-For?
X-Forwarded-For is the custom HTTP header that carries along the original IP address of a client so the app at the other end knows what it is. Otherwise it would only see the proxy IP address, and that makes some apps angry.Dec 7, 2017
How do you see X is forwarded for?
To check the X-Forwarded-For in action go to Inspect Element -> Network check the request header for X-Forwarded-For like below.Nov 22, 2019