Menu
I see various spellings of the non-RFC "XFF" HTTP header used for identifying the IP addresses the request has been forwarded through. Is there a difference between these different header names: X-FORWARDED-FOR, X_FORWARDED_FOR, and HTTP_X_FORWARDED_FOR? Do I need to look for all three?
PS - Yes, I know this header can be easily spoofed :)
226
The X-Forwarded-For (XFF) request header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through a proxy server. Warning: Improper use of this header can be a security risk.
Short Answer: The X-Original-* represents the original header value received in HttpContext. Connection and HttpContext. Request . Long Version: When using Nginx / IIS / Apache to setup a reverse proxy, the HttpContext.
According to RFC 2616 section 4.2, headers like X-Forwarded-for are case insensitive: Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.
The HTTP_ prefix is used by some languages like PHP simply to distinguish HTTP headers from other server variables:
$_SERVER['HTTP_X_FORWARDED_FOR'] The HTTP header name is actually
X-Forwarded-For The header name itself is case insensitive. However, when you want to query a request header, programming languages are largely case sensitive about it (again, PHP is one of them).
The X- indicates that the Forwarded-For header is non-standard. I don't think there's a difference whether a language uses dashes or underscores to refer to header names.
Essentially, they're all the same header, just referred to differently by various implementations.
53
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
