Stack Diary / Reference

/ HTTP Headers

Forwarded

The Forwarded header is used to convey information about the client and any intermediate proxies involved in the request. This information can be useful for various purposes, such as:

  • Identifying the originating IP address of a client when requests are proxied through one or more intermediate nodes.
  • Determining the protocol used between the client and the proxy or between two intermediate proxies.
  • Providing information about the original host requested by the client.
  • Identifying any intermediate proxies involved in the request.

Syntax of the Forwarded Header

The Forwarded header consists of one or more comma-separated values, each representing a proxy involved in the request. Each value may contain one or more key-value pairs separated by semicolons. The possible keys are:

  • for: Represents the client’s IP address or an obfuscated identifier.
  • by: Represents the IP address or hostname of the proxy server.
  • proto: Represents the protocol used between the client and the proxy or between two intermediate proxies.
  • host: Represents the original host requested by the client.

The keys can appear in any order but must not be repeated within a single value.

Example of a Forwarded Header

Consider the following HTTP request:

GET /some-resource HTTP/1.1
Host: example.com
Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43, for=198.51.100.17;proto=https;by=203.0.113.195

In this example, there are two intermediate proxies involved in the request. The first proxy has an IP address of 203.0.113.43 and received the request from the client with an IP address of 192.0.2.60 using the http protocol. The second proxy has an IP address of 203.0.113.195 and received the request from the first proxy with an IP address of 198.51.100.17 using the https protocol.

Processing the ‘Forwarded’ Header

When processing the Forwarded header, follow these steps:

  1. Split the header value by commas to obtain a list of values representing the proxies involved in the request.
  2. For each value, split it by semicolons to obtain a list of key-value pairs.
  3. For each key-value pair, split it by the equal sign to obtain the key and its corresponding value.
  4. Process the key-value pairs as needed.

Security Considerations

It’s important to note that the Forwarded header can be easily spoofed by clients or intermediate proxies. Therefore, it should not be solely relied upon for security-sensitive operations, such as access control or logging. It is recommended to use additional mechanisms, such as client certificates or IP whitelisting, to ensure the authenticity of the client or intermediate proxies.

Summary

The Forwarded HTTP header is a valuable tool for providing information about the client and any intermediate proxies involved in a request. It can be used for various purposes, such as identifying the originating IP address, determining the protocol used, and providing information about the original host requested by the client. However, it’s crucial to keep in mind that the Forwarded header can be easily spoofed and should not be solely relied upon for security-sensitive operations.

Was this helpful?

Thanks for your feedback!
Forwarded

The Forwarded header is used to convey information about the client and any intermediate proxies involved in the request. This information can…

Share on Twitter
Send Email

Forwarded

Last updated: