Forwarded header contains information from the client-facing side of proxy servers that is altered or lost when a proxy is involved in the path of the request.
This header is used for debugging, statistics, and generating location-dependent content and by design it exposes privacy sensitive information, such as the IP address of the client. Therefore the user's privacy must be kept in mind when deploying this header.
|Header type||Request header|
|Forbidden header name||no|
Forwarded: by=<identifier>; for=<identifier>; host=<host>; proto=<http|https>
- An identifier disclosing the information that is altered or lost when using a proxy. This can be either:
- an IP address (v4 or v6, optionally with a port, and ipv6 quoted and enclosed in square brackets),
- an obfuscated identifier (such as "_hidden" or or "_secret"),
- or "unknown" when the preceding entity is not known (and you still want to indicate that forwarding of the request was made).
- The interface where the request came in to the proxy server.
- The client that initiated the request and subsequent proxies in a chain of proxies.
Hostrequest header field as received by the proxy.
Indicates which protocol was used to make the request (typically "http" or "https").
Forwarded: for="_mdn" # case insensitive Forwarded: For="[2001:db8:cafe::17]:4711" # separated by semicolon Forwarded: for=192.0.2.60; proto=http; by=203.0.113.43 # multiple values can be appended using a comma Forwarded: for=192.0.2.43, for=198.51.100.17
If your application, server, or proxy supports the standardized
Forwarded header, the
X-Forwarded-For header can be replaced. Note that IPv6 address are quoted and enclosed in square brackets in
X-Forwarded-For: 123.34.567.89 Forwarded: for=123.34.567.89 X-Forwarded-For: 192.0.2.43, 2001:db8:cafe::17 Forwarded: for=192.0.2.43, for="[2001:db8:cafe::17]"
|RFC 7239, section 4: Forwarded||Forwarded HTTP Extension|