Re: X-Forwarded-For header

From: bradford <>
Date: Thu, 24 Mar 2011 16:35:57 -0400

I know there have been several emails about this, but what is the most secure way of logging the client's IP address in the application code?  Do you just log the full X-Forwarded-For comma delimited value? Also, can't they manipulate the X-Forwarded-For header in the HTTP request?


On Thu, Mar 24, 2011 at 4:12 PM, Willy Tarreau <> wrote:
> Hello Dmitry,
> On Thu, Mar 24, 2011 at 05:28:13PM +0300, Dmitry Sivachenko wrote:
>> Hello!
>> With "option forwardfor", haproxy adds X-Forwarded-For header at the end
>> of header list.
>> But according to wikipedia:
>> and other HTTP proxies (say, nginx)
>> there is standard format to specify several intermediate IP addresses:
>> X-Forwarded-For: client1, proxy1, proxy2
>> Why don't you use these standard procedure to add client IP?
> Because these are not the standards. Standards are defined by RFCs, not
> by Wikipedia :-)
> We already got this question anyway. The short answer is that both forms
> are strictly equivalent, and any intermediary is free to fold multiple
> header lines into a single one with values delimited by commas. Your
> application will not notice the difference (otherwise it's utterly
> broken and might possibly be sensible to many vulnerabilities such as
> request smugling attacks).
> Hoping this helps,
> Willy
Received on 2011/03/24 21:35

This archive was generated by hypermail 2.2.0 : 2011/03/24 21:45 CET