What is X-Forwarded-For and when can you trust it? (2024)
9 months ago
- #HTTP Headers
- #Networking
- #Web Security
- The X-Forwarded-For (XFF) HTTP header provides insight into the origin of web requests by listing the original client IP addresses through multiple intermediaries.
- Without XFF, servers only see the last intermediary's IP, not the true client origin.
- XFF is used for user authentication, load balancing, data localization, geographic content delivery, access control, fraud prevention, and more.
- XFF headers can be faked, so they should never be fully trusted without validation.
- Trusted reverse proxies can sanitize XFF headers by replacing or appending client IPs securely.
- To determine the real client IP, read the XFF list from right to left, skipping known internal IPs.
- Parsing XFF headers requires careful handling to avoid security risks like injection or request smuggling.
- Alternatives to XFF include the standardized Forwarded header, which offers better extensibility and security.
- Other non-standard headers like X-Real-IP, CF-Connecting-IP, and Via serve similar purposes in specific contexts.
- Proper use of XFF or Forwarded headers can improve security, performance, and compliance with privacy laws.