HTTP header battlefield
“ XFF ” redirects here. For the aircraft, see Grumman FF
The X-Forwarded-For ( XFF ) HTTP header field is a common method acting for identifying the originating IP address of a client connecting to a network server through an HTTP proxy or cargo balancer. The X-Forwarded-For HTTP request header was introduced by the Squid caching proxy waiter ‘s developers. [ citation needed ]

X-Forwarded-For is besides an email-header indicate that an email-message was forwarded from one or more other accounts ( credibly mechanically ). [ 1 ] Without the practice of XFF or another similar technique, any connection through the proxy would reveal alone the originating IP address of the proxy waiter, efficaciously turning the proxy server into an anonymizing service, therefore making the detection and prevention of abusive accesses significantly harder than if the originating IP address were available. The utility of XFF depends on the proxy server truthfully reporting the original host ‘s IP address ; for this reason, effective use of XFF requires cognition of which proxies are trustworthy, for case by looking them up in a whitelist of servers whose maintainers can be trusted .


The general format of the field is : [ 2 ]

X-Forwarded-For: client, proxy1, proxy2

where the value is a comma+space divide tilt of IP addresses, the left-most being the original client, and each consecutive proxy that passed the request adding the IP address where it received the request from. In this model, the request passed through proxy1, proxy2, and then proxy3 ( not shown in the header ). proxy3 appears as remote control address of the request. Examples : [ 3 ]

X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348

Since it is easy to forge an X-Forwarded-For plain the given information should be used with care. The right-most IP address is constantly the IP address that connects to the end proxy, which means it is the most reliable beginning of information. X-Forwarded-For data can be used in a advancing or reverse proxy scenario. merely logging the X-Forwarded-For field is not constantly enough as the death proxy IP address in a range is not contained within the X-Forwarded-For playing field, it is in the actual IP header. A web server should log BOTH the request ‘s source IP address and the X-Forwarded-For field information for completeness .

Proxy servers and caching engines.

The X-Forwarded-For field is supported by most proxy servers. X-Forwarded-For log is supported by many web servers including Apache. IIS can besides use a HTTP Module for this trickle. [ 4 ] [ 5 ] [ 6 ]

Zscaler will mask an X-Forwarded-For header with Z-Forwarded-For, before adding its own X-Forwarded-For header identifying the originating customer IP address. This prevents inner IP addresses leaking out of Zscaler Enforcement Nodes, and provides third base party content providers with the true IP address of the customer. This results in a non-RFC compliant HTTP request .

Alternatives and variations.

RFC 7239 standardized a Forwarded HTTP header with alike determination but more features compared to the X-Forwarded-For HTTP header. [ 7 ] An example of a Forwarded header ‘s syntax :

Forwarded: for=;proto=http;by=

HAProxy defines the PROXY protocol which can communicate the originating client ‘s IP address without using the X-Forwarded-For or Forwarded header. [ 8 ] This protocol can be used on multiple transportation protocols and does not require inspecting the inner protocol, so it is not limited to HTTP .

See besides.


Leave a Reply

Your email address will not be published.