X-Forwarded-For is defined as a comma separated list, and not just one IP

  • Resolved Dan

    (@geekysoft)


    7 years, 6 months ago

    This plugin makes an incorrect assumption: X-Forwarded-For only ever contains one IP address. However, it’s standard use is that each proxy/gateway appends the IP address of the requesting proxy/gateway/end-user to the end of the list. Like all HTTP headers, this list is represented as a comma separated list.

    E.g. X-Forwarded-For: 1.2.3.4, ::1, 127.0.0.1, 4.3.2.1

    Which one is the user’s actual IP address and which is just a proxy server in the chain? … who knows. Localhost and loopback addresses can safely be discarded. This is just a server talking to itself. Other that that, I’m not sure what the best way for cleaning up this header to “get the real IP address” as the function says.

  • The topic ‘X-Forwarded-For is defined as a comma separated list, and not just one IP’ is closed to new replies.