From Surf Wiki (app.surf) — the open knowledge base
X-Forwarded-For
HTTP header field
HTTP header field
The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
The X-Forwarded-For HTTP request header was introduced by the Squid caching proxy server's developers.
X-Forwarded-For is also an email-header indicating that an email-message was forwarded from one or more other accounts (probably automatically).
Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address were available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.
Format
The general format of the field is:
X-Forwarded-For: client, proxy1, proxy2
where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request.
Examples: X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178 X-Forwarded-For: 203.0.113.195 X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
Because the X-Forwarded-For header is not formally standardized, some variations to the IP address format exist. For example, some implementations include the port number of clients, or enclose IPv6 addresses in square brackets even without the port number, similar to the format in the newer Forwarded header. Examples:
X-Forwarded-For: 203.0.113.195:41237, 198.51.100.100:38523
X-Forwarded-For: [2001:db8::1a2b:3c4d]:41237, 198.51.100.100:26321
X-Forwarded-For: [2001:db8::aa:bb]
Usage
The X-Forwarded-For header is added or edited by HTTP proxies when forwarding a request. The server appends the address of the client to an existing X-Forwarded-For header separated by a comma, or creates a new X-Forwarded-For header with the client address as the value.
Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The right-most IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario. If the server is behind a trusted reverse proxy and only allows connections from that proxy, the header value can usually be assumed to be trustworthy.
Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log both the request's source IP address and the X-Forwarded-For field information for completeness.
Alternatives and variations
standardized a Forwarded HTTP header with similar purpose but more features compared to the X-Forwarded-For HTTP header.{{cite IETF
| access-date = February 20, 2020
Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
Forwarded: for="[2001:db8::1234]"
HAProxy defines the PROXY protocol which can communicate the originating client's IP address without using the X-Forwarded-For or Forwarded header. This protocol can be used on multiple transport protocols and does not require inspecting the inner protocol, so it is not limited to HTTP.
References
References
- "Overview of parsed mail headers".
- "squid : follow_x_forwarded_for configuration directive".
- "X-Forwarded-For".
- [http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt Willy Tarreau: The PROXY protocol]. haproxy.1wt.eu. Retrieved on 2012-12-24.
This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page.
Ask Mako anything about X-Forwarded-For — get instant answers, deeper analysis, and related topics.
Research with MakoFree with your Surf account
Create a free account to save articles, ask Mako questions, and organize your research.
Sign up freeThis content may have been generated or modified by AI. CloudSurf Software LLC is not responsible for the accuracy, completeness, or reliability of AI-generated content. Always verify important information from primary sources.
Report