Home

XForwardedFor

X-Forwarded-For (XFF) is an HTTP header used to identify the original client IP address when a request passes through one or more proxies or load balancers before reaching the destination server. It is commonly employed in web architectures that sit behind reverse proxies.

The header typically contains a comma-separated list of IP addresses. Each proxy may append its own IP

XFF is widely used for logging, rate limiting, geolocation, and other edge-facing decisions. However, it is not

Security and privacy considerations are important. Relying on XFF for authentication or access control is risky,

In practice, many deployments still rely on XFF, but administrators often complement it with proper proxy configuration

to
the
right
end
of
the
list,
so
the
left-most
IP
is
usually
the
client’s
address
as
seen
by
the
first
proxy.
In
IPv4
and
IPv6
environments,
this
enables
downstream
servers
to
infer
the
client’s
address
even
when
direct
connectivity
is
unavailable.
a
guaranteed
or
authenticated
source
of
truth;
its
reliability
depends
on
the
trustworthiness
of
the
proxies
that
populate
or
modify
it.
If
a
request
connects
directly
to
the
origin
server,
or
if
untrusted
clients
can
influence
the
header,
the
value
can
be
forged.
and
exposing
internal
network
addresses
can
raise
privacy
concerns.
Best
practices
include
validating
the
chain
of
proxies,
configuring
servers
to
trust
only
known
proxies,
and
using
the
standardized
Forwarded
header
(RFC
7239)
where
possible.
and,
where
feasible,
a
transition
to
the
Forwarded
header
or
framework-provided
remote
address
handling
to
ensure
more
robust
provenance
of
client
IP
information.
See
also
Forwarded
header
and
related
proxy
concepts.