What is the difference between X-Forwarded-For and X-Forwarded-IP?

Question

To obtain the client IP address in my ASP.NET application I\'ve used the X-Forwarded-For, and get the first IP address from the list (accordingly to the information I\'ve fo

Answer 1

X-Forwarded-For is a non-standard header, introduced originally by Squid. It is a proxy- specific header, that helps a server identify the original requestor of a call that did pass-through the proxy - so obviously any proxy on the request path should/will modify X-Forwarded-For. Without proxy on the request path, this header shouldn't even be in the request.

Because this header is non-standard, there is no guarantee you'll get it, and the way it is handled can differ on the proxy implementation. You have no guarantee either that it will contain a proper IP.

Since 2014, the IETF has approved a standard header definition for proxy, called "Forwarded", documented here https://tools.ietf.org/html/rfc7239 that should be use instead of X-Forwarded headers. This is the one you should use reliably to get originating IP in case your request is handled by a proxy.

In general, the proxy headers (Forwarded or X-Forwarded-For) are the right way to get your client IP only when you are sure they come to you via a proxy. If there is no proxy header or no usable value in, you should default to the REMOTE_ADDR server variable.