1

How many characters can the value of the X-Forwarded-For (XFF) HTTP header value be?

Example is: X-Forwarded-For: client1, proxy1, proxy2

finneycanhelp
  • 9,018
  • 12
  • 53
  • 77

2 Answers2

1

See this, this and this (related SO questions).

The spec does not specify a limit (so, unlimited, in theory). However, there is a limit that is implementation specific.

IIS 6/7 allow up to 16K per header, apache will default to 8K.

Community
  • 1
  • 1
Oded
  • 489,969
  • 99
  • 883
  • 1,009
1

AFAIK, there is no limit. Note that you shouldn't rely on its value; it can be spoofed easily. (Note however that if you're using a load-balancing proxy that overwrites this value, you can rely on it as you're setting it yourself)

You
  • 22,800
  • 3
  • 51
  • 64
  • But if all of your connections are coming in through your load balancer (or other proxy), and you do not allow the world to connect to your bare back-end server's 80 and 443, then you can rely on the header since good load balancers always overwrite whatever made-up value a user might try to provide with a real one computed from the client IP address. – Brandon Rhodes May 27 '11 at 21:14
  • @Brandon: Well yes, if you're controlling its value using a load-balancing proxy you can rely on it. – You May 27 '11 at 22:49
  • Add that tidbit to your answer — so users don't think that X-Forwarded-For is always and in all circumstances spoofable, and I'll be happy to +1 your answer — thanks! – Brandon Rhodes May 27 '11 at 22:53