29

I see various spellings of the non-RFC "XFF" HTTP header used for identifying the IP addresses the request has been forwarded through. Is there a difference between these different header names: X-FORWARDED-FOR, X_FORWARDED_FOR, and HTTP_X_FORWARDED_FOR? Do I need to look for all three?

PS - Yes, I know this header can be easily spoofed :)

urig
  • 14,804
  • 22
  • 103
  • 166

1 Answers1

42

The HTTP_ prefix is used by some languages like PHP simply to distinguish HTTP headers from other server variables:

$_SERVER['HTTP_X_FORWARDED_FOR']

The HTTP header name is actually

X-Forwarded-For

The header name itself is case insensitive. However, when you want to query a request header, programming languages are largely case sensitive about it (again, PHP is one of them).

The X- indicates that the Forwarded-For header is non-standard. I don't think there's a difference whether a language uses dashes or underscores to refer to header names.

Essentially, they're all the same header, just referred to differently by various implementations.

BoltClock
  • 665,005
  • 155
  • 1,345
  • 1,328
  • 8
    +1. As an addition: seems like the use of *HTTP_** originated in [The Common Gateway Interface (CGI) Standard](http://tools.ietf.org/html/rfc3875#section-4.1.18). Quote: `"Meta-variables with names beginning with "HTTP_" contain values read from the client request header fields, if the protocol used is HTTP. The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."` – informatik01 Jun 19 '13 at 01:20
  • 4
    FTR, [RFC 7239](https://tools.ietf.org/html/rfc7239) standardized the Forwarded HTTP Extension. Standard header is now `Forwarded: for=1.2.3.4;proto=http` although no one expects that to get adopted soon. Check [What is a full specification of X-Forwarded-Proto HTTP header?](http://stackoverflow.com/q/13111080). – mmoya Apr 23 '15 at 17:49