Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
X-Forwarded-For
open-in-new
<h2 id="format">Format</h2> <p>The general format of the field is:<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a> </p> X-Forwarded-For: client, proxy1, proxy2 <p>where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through <i>proxy1</i>, <i>proxy2</i>, and then <i>proxy3</i> (not shown in the header). <i>proxy3</i> appears as remote address of the request. </p><p>Examples:<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> </p> X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178 X-Forwarded-For: 203.0.113.195 X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348 <p>Because the X-Forwarded-For header is not formally standardized, some variations to the IP address format exist. For example, some implementations[<i>which?</i>] include the port number of clients, or enclose IPv6 addresses in square brackets even without the port number, similar to the format in the newer Forwarded header. Examples: </p> X-Forwarded-For: 203.0.113.195:41237, 198.51.100.100:38523 X-Forwarded-For: [2001:db8::1a2b:3c4d]:41237, 198.51.100.100:26321 X-Forwarded-For: [2001:db8::aa:bb] <h2 id="usage">Usage</h2> <p>The X-Forwarded-For header is added or edited by HTTP <a href="/facts/Proxy_server/ArhwQE74">proxies</a> when forwarding a request. The server appends the address of the client to an existing X-Forwarded-For header separated by a comma, or creates a new X-Forwarded-For header with the client address as the value. </p><p>Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The right-most IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario. If the server is behind a trusted <a href="/facts/Reverse_proxy/bN4HFUEC">reverse proxy</a> and only allows connections from that proxy, the header value can usually be assumed to be trustworthy. </p><p>Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log both the request's source IP address and the X-Forwarded-For field information for completeness. </p> <h2 id="alternatives-and-variations">Alternatives and variations</h2> <p><a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://datatracker.ietf.org/doc/html/rfc7239">7239</a> standardized a Forwarded HTTP header with similar purpose but more features compared to the X-Forwarded-For HTTP header.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> An example of a Forwarded header's syntax: </p> Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43 Forwarded: for="[2001:db8::1234]" <p><a href="/facts/HAProxy/152UEPQP">HAProxy</a> defines the PROXY protocol which can communicate the originating client's IP address without using the X-Forwarded-For or Forwarded header.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> This protocol can be used on multiple transport protocols and does not require inspecting the inner protocol, so it is not limited to HTTP. </p> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Internet_privacy/Fdnjfnds">Internet privacy</a></li> <li><a href="/facts/Proxy_server/ArhwQE74">List of proxy software</a></li> <li><a href="/facts/X-Originating-IP/CsKVSdNh">X-Originating-IP</a> for <a href="/facts/Simple_Mail_Transfer_Protocol/TeCRKDpJ">SMTP</a> equivalent</li> <li><a href="/facts/List_of_HTTP_header_fields/hEkcQe2f">List of HTTP header fields</a></li></ul> <h2 id="external-links">External links</h2> <ul><li>Apache <a href="https://web.archive.org/web/20070218024619/http://www.openinfo.co.uk/apache/index.html">mod_extract_forwarded</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"Overview of parsed mail headers". Archived from the original on 2014-09-20. Retrieved 2014-05-05. <a href="https://web.archive.org/web/20140920220804/http://mailheader.mattiasgeniar.be/headers.php" target="_blank">https://web.archive.org/web/20140920220804/http://mailheader.mattiasgeniar.be/headers.php</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"squid : follow_x_forwarded_for configuration directive". Squid-cache.org. Retrieved 12 November 2017. <a href="http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/" target="_blank">http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"X-Forwarded-For". MDN Web Docs. Retrieved 2020-11-06. <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For" target="_blank">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Petersson, A; Nilsson, M (June 2014). Forwarded HTTP Extension. IETF. doi:10.17487/RFC7239. RFC 7239. Retrieved February 20, 2020. <a href="https://datatracker.ietf.org/doc/html/rfc7239" target="_blank">https://datatracker.ietf.org/doc/html/rfc7239</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Willy Tarreau: The PROXY protocol. haproxy.1wt.eu. Retrieved on 2012-12-24. <a href="http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt" target="_blank">http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> </ol>