X-Forwarded-For

The HTTP X-Forwarded-For request header is an unofficial HTTP header used to identify the originating IP address of a client connecting through proxies, load balancers, or other intermediaries.

Table of Contents

Usage

When a client connects directly to an origin server, the server reads the client IP from the TCP connection. Once proxies or load balancers sit between the client and the server, the server only sees the IP address of the last intermediary. The X-Forwarded-For header preserves the original client address and the chain of proxy addresses.

Each intermediary appends the IP address of the node from which the request was received. The result is a comma-separated list where the leftmost address belongs to the original client and each subsequent address represents a proxy in the forwarding chain.

X-Forwarded-For: <client>, <proxy1>, <proxy2>

Because any hop along the path is free to add, modify, or forge entries, the list is only trustworthy from the rightmost entry operated by a trusted proxy inward. A common security practice is to configure the application to skip a known number of trusted proxy entries from the right side of the list and treat the next address as the true client IP.

The standardized replacement for this header is the Forwarded header, which uses structured parameters (for, by, host, proto) instead of a flat IP list.

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.

Values

The X-Forwarded-For value is a comma-separated list of IP addresses. Each address is either an IPv4 dotted-decimal or an IPv6 address.

Single client

A request arriving at the first proxy from a client at 203.0.113.50 produces a single entry.

X-Forwarded-For: 203.0.113.50

Multiple hops

After passing through two proxies, the list contains the client followed by the first proxy address.

X-Forwarded-For: 203.0.113.50, 198.51.100.178

IPv6

IPv6 addresses appear without brackets in the comma-separated list.

X-Forwarded-For: 2001:db8::cafe, 198.51.100.178

Example

A web application behind a load balancer and a CDN edge node receives the following header. The first address 203.0.113.50 is the original client. The second address 198.51.100.178 is the CDN edge node. The load balancer added the CDN edge address before forwarding to the origin.

X-Forwarded-For: 203.0.113.50, 198.51.100.178

Rate-limiting middleware reading this header counts from the right. Knowing one trusted proxy (the load balancer) exists, the middleware skips one entry from the right and treats 203.0.113.50 as the client IP.

An Authentication gateway logging access events extracts the client IP from the X-Forwarded-For header alongside the User-Agent for audit trails.

X-Forwarded-For: 192.0.2.12

Takeaway

The HTTP X-Forwarded-For header carries a comma-separated chain of IP addresses representing the client and each proxy a request has traversed. The Forwarded header is the standardized successor.

See also

Last updated: March 11, 2026