30

I see various spellings of the non-RFC "XFF" HTTP header used for identifying the IP addresses the request has been forwarded through. Is there a difference between these different header names: X-FORWARDED-FOR, X_FORWARDED_FOR, and HTTP_X_FORWARDED_FOR? Do I need to look for all three?

PS - Yes, I know this header can be easily spoofed :)

urig
  • 16,016
  • 26
  • 115
  • 184

1 Answers1

44

The HTTP_ prefix is used by some languages like PHP simply to distinguish HTTP headers from other server variables:

$_SERVER['HTTP_X_FORWARDED_FOR']

The HTTP header name is actually

X-Forwarded-For

The header name itself is case insensitive. However, when you want to query a request header, programming languages are largely case sensitive about it (again, PHP is one of them).

The X- indicates that the Forwarded-For header is non-standard. I don't think there's a difference whether a language uses dashes or underscores to refer to header names.

Essentially, they're all the same header, just referred to differently by various implementations.

BoltClock
  • 700,868
  • 160
  • 1,392
  • 1,356
  • 8
    +1. As an addition: seems like the use of *HTTP_** originated in [The Common Gateway Interface (CGI) Standard](http://tools.ietf.org/html/rfc3875#section-4.1.18). Quote: `"Meta-variables with names beginning with "HTTP_" contain values read from the client request header fields, if the protocol used is HTTP. The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."` – informatik01 Jun 19 '13 at 01:20
  • 4
    FTR, [RFC 7239](https://tools.ietf.org/html/rfc7239) standardized the Forwarded HTTP Extension. Standard header is now `Forwarded: for=1.2.3.4;proto=http` although no one expects that to get adopted soon. Check [What is a full specification of X-Forwarded-Proto HTTP header?](http://stackoverflow.com/q/13111080). – mmoya Apr 23 '15 at 17:49