🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

X Forwarded For

HTTP Header

The HTTP X-Forwarded-For (XFF) request header is a widely adopted standard for identifying the original IP address of a client connecting to a web server via a proxy server.

A more standardized version of this header is the HTTP Forwarded header, though it is used less frequently.

Note: Improper use of this header can pose security risks. For detailed information, refer to the Security and Privacy Concerns section.

The Header type is a Request header.

The Forbidden request header status is No.

Syntax

Syntax

http
X-Forwarded-For: <client>, <proxy>
X-Forwarded-For: <client>, <proxy>, …, <proxyN>

For example, an IPv6 client IP in the first header, an IPv4 client IP in the second header, and an IPv4 client IP along with an IPv6 proxy IP in the third example:

http
X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
X-Forwarded-For: 203.0.113.195
X-Forwarded-For: 203.0.113.195, 2001:db8:85a3:8d3:1319:8a2e:370:7348

Directives

Directives

The <client> directive provides the IP address of the client making the request, which helps identify the source of the incoming connection.

Example

When a client establishes a direct connection to a server, the client’s IP address is transmitted to the server, often being recorded in server access logs. If the connection passes through any forward or reverse proxies, the server typically only detects the final proxy’s IP address, which may be of limited utility. This issue becomes more pronounced if the final proxy is a load balancer within the same deployment as the server.

To transmit a more accurate client IP address to the server, the X-Forwarded-For request header is employed. For detailed instructions on utilizing this header, refer to the sections on parsing and selecting an IP address.

Security and privacy concerns

This header exposes sensitive privacy information by design, so it is crucial to handle it with care. If all proxies in the request chain are trusted and correctly configured, the parts of the header added by these proxies can be trusted. However, if any proxy is malicious or misconfigured, spoofing or incorrect data may occur, rendering parts of the header unreliable. Even when behind a trusted reverse proxy, the server cannot fully trust X-Forwarded-For IPs if a direct internet connection exists. Any security-related features such as rate limiting or IP-based controls should only rely on IPs added by trusted proxies. Using untrustworthy IPs can lead to bypassed restrictions, security vulnerabilities, or system overloads.

Untrusted, leftmost IP values should only be used in situations where their potential for spoofing does not pose security risks.

Parsing

Improper parsing of the X-Forwarded-For header can have security implications, including those mentioned earlier. Consider these points when parsing: multiple X-Forwarded-For headers may be present; their IPs should be treated as a sequence starting from the first IP in the first header to the last IP in the last header. To form this sequence, either join all header values with commas and split by comma or split each header individually and then combine the lists. Using only one header is insufficient, as some proxies may join multiple headers automatically, but this behavior should not be assumed.

Selecting an IP address

When choosing an IP address from the complete list, it must include all IPs from all X-Forwarded-For headers. The closest to the client (not for security use) can be the first valid, non-private IP from the leftmost position. Note that spoofed values may not be actual IP addresses, and internal client networks may have added addresses from private IP spaces.

To select the first trustworthy client IP, additional configuration is necessary, typically one of two methods:

Trusted proxy count

The number of reverse proxies between the internet and the server is configured. The IP list is examined from the right, skipping the number of proxies minus one. For example, with one proxy, the rightmost IP is the client; with three proxies, the last two IPs are internal and should be ignored.

Trusted proxy list

The IP addresses or ranges of trusted proxies are configured. The list is searched from the right, skipping addresses on this list. The first non-trusted address from the right is considered the client IP.

Although the first trustworthy X-Forwarded-For IP might belong to an intermediate, untrusted proxy, it remains the most reliable identifier of the client for security purposes.

How to Modify Header using Requestly

Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the X-Forwarded-For header. This helps you test how your server or application behaves when requests appear to come from different IP addresses. Steps to Modify the X-Forwarded-For Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter X-Forwarded-For.
    • In the “Header Value” field, enter the IP address you want to simulate (e.g., 123.45.67.89).
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-api.com/*).
  5. Save the rule.

Once set up, Requestly will inject the X-Forwarded-For header with the specified IP address into all matching requests, allowing you to simulate different client IPs for testing geolocation or IP-based access controls.

You might need to modify the X-Forwarded-For header to test how your application responds to requests coming from different IP addresses, especially when your app relies on IP-based rules like security filters or regional content delivery.