What does X-Forwarded-For contain?

It is a comma-separated list of IP addresses appended as a request passes through proxies. The leftmost is the original client as seen by the first proxy, and each subsequent entry is added by the next hop. Because clients can spoof it, only entries added by proxies you trust are reliable.

How is the Forwarded header different?

Forwarded (RFC 7239) is the standardised replacement that combines for, by, host and proto into one header using key=value pairs separated by semicolons, with multiple hops separated by commas. It carries the same information as the X-Forwarded-* family but in a single, well-defined syntax.

Which entry is the real client IP?

Do not blindly trust the leftmost value — clients can inject fake entries. Count back from the right by the number of proxies you control: the address added by your outermost trusted proxy is the real client. Configure your framework's trusted-proxy list accordingly.

What do X-Forwarded-Proto and X-Forwarded-Host do?

X-Forwarded-Proto records the scheme (http or https) the client used to reach the first proxy, so an app behind a TLS-terminating proxy knows the original was https. X-Forwarded-Host carries the original Host header. Both let the backend reconstruct the externally visible URL.

Can the Forwarded header use obfuscated identifiers?

Yes. RFC 7239 allows obfuscated node identifiers prefixed with an underscore, e.g. for=_hidden, and the token unknown when the address is not disclosed. IPv6 addresses must be quoted and bracketed, like for="[2001:db8::1]:8080".

HTTP Forwarded Header Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

How proxies preserve client information

When a request passes through reverse proxies and load balancers, the backend sees the proxy’s address, not the client’s. Forwarding headers carry the original client IP, protocol and host along the chain. This reference covers the standardised Forwarded header and the legacy X-Forwarded-* set, plus how to parse a proxy chain safely.

How it works

Each proxy appends what it observed. The legacy headers split the data across three fields; the standard Forwarded header combines them:

X-Forwarded-For: 203.0.113.7, 198.51.100.2, 10.0.0.1
X-Forwarded-Proto: https
X-Forwarded-Host: example.com

Forwarded: for=203.0.113.7;proto=https;host=example.com, for=198.51.100.2

The list grows left-to-right as hops are traversed, so the leftmost X-Forwarded-For entry is the original client as reported — but any client can forge entries. Trust only the addresses appended by proxies you control: count back from the right by your number of trusted hops to find the true client IP.

Tips and notes

Configure a trusted-proxy count; never trust the leftmost value unconditionally.
IPv6 in Forwarded must be quoted and bracketed: for="[2001:db8::1]".
X-Forwarded-Proto lets a TLS-terminating proxy tell the app the original scheme.
Prefer Forwarded for new systems; keep X-Forwarded-* for compatibility.