X-Forwarded-For proxies
I'm just learning a bit about X-Forwarded-For, I'de like to know if it's possible for this header to be spoofed, or indeed incorrect IP address of the user. Are there any mitigations, checks I can do to ensure I'm correctly identifying the user based on their IP.
12 Replies
Project ID:
N/A
Information Security Stack Exchange
How to prevent spoofing of X-Forwarded-For header?
X-Forwarded-For header can capture the IP of the client and use this IP to implement access control.
However, the X-Forwarded-For header can be easily spoofed or manipulated.
How to prevent this or...
d1c85c02-8ca5-43c3-adc6-4a24cb066e33
Also...
can I potentially use this to Geo-locate users based on the proxy?
usually you can't much to mitigate x-forwarded-for if you don't have access to the proxy.
the proxy that blocks the headers.
and railway seems to do that, but only for the header
X-Envoy-External-Address
the
x-forwarded-for
seems to append the ip sent by the client@ThallesComH you legend
i'll read about Envoy external address
good, watch out that Cloudflare also have their
x-forwarded-for
version
https://developers.cloudflare.com/fundamentals/reference/http-request-headersCloudflare HTTP request headers · Cloudflare Fundamentals docs
Cloudflare passes all HTTP request headers to your origin web server and adds additional headers as specified below.
and
x-forwarded-for
behaves the same as the Railway's onegotcha!
is Railway using this?
https://www.envoyproxy.io
yes they are
Looking forward to when Brody does:
you're funny