Skip to content

[Fundamentals] Clarify x-forwarded-for #30556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pedrosousa merged 1 commit into from
May 5, 2026
Merged

[Fundamentals] Clarify x-forwarded-for #30556

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/content/docs/fundamentals/reference/http-headers.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,9 @@ For example, if the original visitor IP address is `203.0.113.1` and the request

If, on the other hand, an `X-Forwarded-For` header was already present in the request to Cloudflare, Cloudflare will append the IP address of the HTTP proxy connecting to Cloudflare to the header. For example, if the original visitor IP address is `203.0.113.1` and a request is proxied through two proxies: proxy A with an IP address of `198.51.100.101` and proxy B with an IP address of `198.51.100.102` before being proxied to Cloudflare, then Cloudflare will send `X-Forwarded-For: 203.0.113.1,198.51.100.101,198.51.100.102` to the origin. Proxy A will append the original visitor's IP address (`203.0.113.1`) to `X-Forwarded-For` before proxying the request to proxy B which, in turn, will append Proxy A's IP address (`198.51.100.101`) to `X-Forwarded-For` before proxying the request to Cloudflare. And finally, Cloudflare will append proxy B's IP address (`198.51.100.102`) to `X-Forwarded-For` before proxying the request to the origin.

If you do not wish to receive the visitor's IP address in the `X-Forwarded-For` header, or any HTTP header that may contain the visitor's IP address, [enable the **Remove visitor IP headers** Managed Transform](/rules/transform/managed-transforms/configure/).
If you do not wish to receive the visitor's IP address (and other intermediate proxy IP addresses) in the `X-Forwarded-For` header, or any HTTP header that may contain the visitor's IP address, [enable the **Remove visitor IP headers** Managed Transform](/rules/transform/managed-transforms/configure/). For the `X-Forwarded-For` header specifically, this Managed Transform will only remove the visitor IP from the header value when Cloudflare receives a request proxied by at least another CDN. In this case, Cloudflare will only keep the IP address of the last proxy.

Using the previous example where a request was proxied twice (proxies A and B) before being proxied through Cloudflare, with **Remove visitor IP headers** enabled, Cloudflare would send `X-Forwarded-For: 198.51.100.102` to the origin, keeping only proxy B's IP address (the last proxy before Cloudflare). Refer to [Visitor IP address in the `x-forwarded-for` HTTP header](/rules/transform/managed-transforms/reference/#visitor-ip-address-in-the-x-forwarded-for-http-header) for more details.

:::note
To restore the original visitor IP address at your origin web server, Cloudflare recommends that your logs or applications look at `CF-Connecting-IP` or `True-Client-IP` instead of `X-Forwarded-For`. `CF-Connecting-IP` and `True-Client-IP` both have a consistent format containing only one IP address.
Expand Down
Loading