X-Forwarded-For
![]() |
---|
Request methods |
Header fields |
Response status codes |
Security access control methods |
Security vulnerabilities |
The X-Forwarded-For (XFF)
The X-Forwarded-For
HTTP request header was introduced by the Squid caching proxy server's developers.[citation needed]
X-Forwarded-For
is also an
Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an
Format
The general format of the field is:[2]
X-Forwarded-For: client, proxy1, proxy2
where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request.
Examples:[3]
X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178 X-Forwarded-For: 203.0.113.195 X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The right-most IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.
Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log BOTH the request's source IP address and the X-Forwarded-For field information for completeness.
Alternatives and variations
Forwarded
HTTP header with similar purpose but more features compared to the X-Forwarded-For
HTTP header.[4]Forwarded
header's syntax:
Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
HAProxy defines the PROXY protocol which can communicate the originating client's IP address without using the X-Forwarded-For
or Forwarded
header.[5] This protocol can be used on multiple transport protocols and does not require inspecting the inner protocol, so it is not limited to HTTP.
See also
- Internet privacy
- List of proxy software
- X-Originating-IP for SMTP equivalent
- List of HTTP header fields
References
- ^ "{title}". Archived from the original on 2014-09-20. Retrieved 2014-05-05.
- ^ "squid : follow_x_forwarded_for configuration directive". Squid-cache.org. Retrieved 12 November 2017.
- ^ "X-Forwarded-For". MDN Web Docs. Retrieved 2020-11-06.
- RFC 7239. Retrieved February 20, 2020.
- ^ Willy Tarreau: The PROXY protocol. haproxy.1wt.eu. Retrieved on 2012-12-24.
External links
- Apache mod_extract_forwarded