Forwarded
The HTTP Forwarded request header contains the IP address for the client that initiates the HTTP request.
Usage
The Forwarded request header is to inform the server concerning the originating client’s IP address, as well as the addresses of intermediaries that the HTTP request has passed through. Examples of intermediaries might be forward or reverse proxy servers, a load balancer, or a content delivery network (CDN). This HTTP header can be generated, modified, or deleted by any intermediary en-route to the server.
The information provided by the Forwarded request header can be used to facilitate troubleshooting or statistical reporting. It does, however, contribute to the erosion of privacy by exposing the originating IP address. The directives are by, for, host, and proto.
by
The by directive is optional and stores information about the interface where the HTTP request entered a proxy server. It can contain a range of values including:
- A masked identifier such as hidden. This is the default value.
- An IPv4 or IPv6 address, optionally with a port
- The unknown identifier, indicating that the previous intermediary is not known but does exist.
for
The for directive is similar to by, with the same possible values, although it refers specifically to the client that originated the HTTP request.
host
The host directive is the HTTP Host request header field, as it is read by the intermediary.
proto
The proto directive indicates the protocol that was used to make the HTTP request. This is normally either HTTP or HTTPS.
Example
Request
Forwarded: for=192.168.0.1;proto=https;by=192.168.1.100
Takeaway
The HTTP Forwarded header is used to provide information to the server about the originating client’s IP address, as well as those of the intermediaries that the HTTP request passed through.