1

is http_x_forwarded_for safe?
In requests, is it able to modify the http_x_forwarded_for with fake ip?
Can hackers do that?

PurTahan
  • 789
  • 8
  • 24
  • [How to use HTTP_X_FORWARDED_FOR properly?](https://stackoverflow.com/q/11452938/608639), [What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR?](https://stackoverflow.com/q/7445592/608639), etc. – jww Jun 04 '17 at 11:55
  • Possible duplicate of [PHP most accurate / safe way to get real user IP address in 2017](https://stackoverflow.com/questions/44085102/php-most-accurate-safe-way-to-get-real-user-ip-address-in-2017) – Narf Jun 05 '17 at 07:58

2 Answers2

1
is http_x_forwarded_for safe?

It depends on the proxy server you rely on. The proxy server has a complete control over this header and it can set whatever value in the header. So, if you are in control of the proxy, you can trust the attribute and can confirm its the correct information. I have used this successfully in the past to read the Client IP address with the trusted proxy server setup.

is it able to modify the http_x_forwarded_for with fake ip?
Can hackers do that?

If you are talking about modifying the request at a particular hop in a network containing multiple proxy servers before it reaches the server, then yes its possible. So, its depends on your proxy setup on how you control it. If its about change the header over the network tunnel by intercepting the proxy request forwarded, IMO it may be possible but can be avoided using a proper handshake protocol.

Uday
  • 1,165
  • 9
  • 12
0

Due to the way IP networks work, there is no way to tell the actual IP address of a client connecting to your server. The question even doesn't make sense. If NAT is used on the network, which IP would you want to see as client IP, the internal (local) one on the NATed network, or the first public IP? What would you gain from the latter, when whole internet provider companies work with client networks behind a nat (although this is getting less common)?

You need to acknowledge that in an IP network, traffic passes through many nodes, some of which may change the apparent IP address of a request. These include NAT servers and proxies of different sorts, and you have no way to tell what happened to a packet before reaching your server.

Also in HTTP, any request header can be forged. This includes about any variable that starts with SERVER_ in your favourite language. These cannot be trusted, a user can send whatever he wants.

The only exception is the actual apparent client IP, which is much harder to forge, but only gives you the last hop (the last proxy, or the last nat server).

Also most of the times if you need to know the client IP that precisely, something elae is wrong on the logic. You have to accept for example that a client IP is in no way an identifier of a user (a person).

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59