41

What is a full specification of X-Forwarded-Proto HTTP header values?

yegor256
  • 102,010
  • 123
  • 446
  • 597
  • Related: [Custom HTTP headers : naming conventions](http://stackoverflow.com/questions/3561381/custom-http-headers-naming-conventions) – BalusC Oct 30 '12 at 15:57
  • *`Forwarded: for=192.0.2.60; proto=http; by=203.0.113.43`*....... RFC 7239, see https://en.wikipedia.org/wiki/X-Forwarded-For – Pacerier Nov 04 '15 at 08:31

3 Answers3

36

There is no "full specification" -- it's a de facto standard. The X- in front of a header name customarily* has denoted it as experimental/non-standard/vendor-specific. Once it's a standard part of HTTP, it'll lose the prefix.

There's some work from the IETF on standardizing it, but it's just at the draft stages, as far as i can tell. Check out https://datatracker.ietf.org/doc/html/draft-ietf-appsawg-http-forwarded-10 for the latest draft as of the time of this writing. But be aware that it can change at any time while it's being fleshed out, and don't rely on it in production stuff yet.

Update:

RFC 7239 now defines the Forwarded: header, which is intended to replace X-Forwarded-*. If you care about standards, i would recommend using that instead.

* This used to be an official thing, but no longer is. RFC 6648 deprecates the X- prefixing convention. Unfortunately, the convention is so widely known (and the deprecation so low-key) that most people outside the IETF will probably ignore the recommendation.

Community
  • 1
  • 1
cHao
  • 84,970
  • 20
  • 145
  • 172
  • 2
    That's misleading. The "X-" prefix isn't special in HTTP header fields. The Internet Draft that you mentioned defines a *new* header field called "Forwarded", which is meant to replace the "X-Forwarded-*" header fields found in the wild. Also, it has already been approved for publication, so I wouldn't expect any more changes to it. – Julian Reschke Oct 29 '12 at 09:29
  • 2
    It was published as an Internet-Draft. By definition, and as stated in its own prologue, it should only be considered "work in progress". Rely on it at your own peril; it already *has* changed, 13 times so far. Each change gets published just the same. And say what you like about "X-", but it *is* a known convention and has been for quite a while. An RFC does not unwrite 15+ years of history, much as the IETF might wish it did. :) – cHao Oct 29 '12 at 20:00
  • 1
    cHao see https://datatracker.ietf.org/doc/draft-ietf-appsawg-http-forwarded/ for the state of the draft - so the draft has been approved by the IESG and is not supposed to change anymore except for editorial fixes and reformatting. If you want to nitpick, I suggest you consult the IETF standards process documentation. – Julian Reschke Oct 30 '12 at 09:37
  • 1
    cHao with respect to "X-": (1) It *is* defined for some protocol parameters, but is not for header fields. (2) There is no general rule for "unprefixing"; usually, once something is deployed a lot, it's very hard to change. – Julian Reschke Oct 30 '12 at 10:06
  • @Julian: While i understand the problems with prefixing (or more to the point, "unprefixing"), they were still a potential problem even while the internet was being invented. Doesn't stop the wrong solution from being adopted for all that time by the IETF itself. Now that it's widely known, an RFC isn't going to magically make people forget it. That prefix *does* have a well-known meaning, regardless of what any document says. – cHao Oct 30 '12 at 13:21
  • 1
    as a matter of fact, it doesn't have any meaning at all - if software takes a different path because a protocol element starts with "x-", it's broken. (And yes, we have seen that in practice) – Julian Reschke Oct 30 '12 at 13:42
  • I'm not talking about meaning to software. I agree with you that software shouldn't give a damn. However, it does have meaning to *people*. To totally discount that is to forget why we have conventions at all. – cHao Oct 30 '12 at 13:54
  • 3
    RFC 7239, june 2014 http://tools.ietf.org/html/rfc7239 . They settled on `Forwarded: proto=https`. Let's see how vendor adoption goes. – mmoya Aug 06 '14 at 14:18
  • @cHao People use x- because they think they are supposed to because they see other people doing it. Many people incorrectly think that it stands for eXtension, not eXperimental. Education is the solution, the more we tell people not to use it, the better the situation will become. Obviously we can't re-write the past, but we can help people make better decisions in the future. – Darrel Miller Oct 05 '14 at 19:40
  • @DarrelMiller: People use it not so much because they see other people doing it, as because they were *told* that's what they're supposed to do...because that's what people were officially told for a good long while. So now it's a thing. I'd love to see it stop -- i never liked it much anyway, precisely because of the compatibility issues that, frankly, were foreseeable a quarter of a century ago. But now that it's a thing, i wonder whether there's enough education in the world to make it go away. – cHao Oct 05 '14 at 22:12
  • @DarrelMiller, "`X`" is a misnomer anyway. They should issue another RFC replacing "`X`" with "`TEMP`". When someone sees a header called *`TEMP-Forwarded-For`*, it's self-obvious that the header is experimental and not "extension". – Pacerier Nov 04 '15 at 08:36
  • @cHao, As long as the standard is approved it is considered to be pretty stable. Sure, in the future *anything* can happen, but such a standard **is reliable** and "safe to implement" for battle-testing in production code. – Pacerier Nov 04 '15 at 08:42
  • @Pacerier: It wasn't approved back when the comments and this answer were written. In fact, the 13th draft had been released that very month. – cHao Jul 06 '18 at 20:36
18

There finally is RFC 7239 - Forwarded HTTP Extension from june 2014. The header is defined in section 5.4.

Some examples:

Forwarded: proto=https
Forwarded: for=1.2.3.4;proto=http

I just hope this won't take too much time to get widely adopted. An example of the diversity of headers because of standard lacking (from here):

  • X-Forwarded-Proto: https (de facto standard)
  • X-Forwarded-Protocol: https
  • X-Forwarded-Ssl: on
  • X-Url-Scheme: https
  • Front-End-Https: on
mmoya
  • 1,901
  • 1
  • 21
  • 30
  • 1
    That's going to take ages before it gets adopted. There are tons of servers that would need updating to parse the new HTTP header. I'm not really on keen updating libraries, frameworks, servers... etc etc. – CMCDragonkai Apr 19 '15 at 13:09
  • The "standard" is the thing that is universally used and practically passed to new folks, not the thing that is blessed by selected wise people. By such definition, X-Forwarded-Proto is the standard and RFC7239 is just noise. – kubanczyk Dec 09 '15 at 10:03
  • I tend to agree, "no one" uses `Forwarded:` it's a new standard no one knows about and everyone is still using `X-Forwarded-*`. I stumbled upon RFC 7239 by accident. Now that it's a rfc it will get adopted, but the new standard is even more complicated than setting multiple headers. Does HA-Proxy define standards now? All this does is complicate things. Now you have to support old non-standard-standard and new standard. –  Jan 26 '17 at 15:05
2

I'm not aware of a "full specification".

The IETF APPSArea Working Group recently decided to define a new header field "Forwarded" which is supposed to replace the "X-Forwarded-*" header fields that you mentioned.

See https://datatracker.ietf.org/doc/html/draft-ietf-appsawg-http-forwarded for details.

Community
  • 1
  • 1
Julian Reschke
  • 40,156
  • 8
  • 95
  • 98