Forwarded Inspect

What does this tool do?

Split the Forwarded header into for/by/host/proto fields and display them clearly.

Useful for diagnosing issues like missing client IP, wrong scheme (http/https), or host changes.

Forwarded basics

• Forwarded is a standard header added by proxies/gateways.
• It can include for/by/host/proto in multiple entries.
• It’s the standardized form compared to legacy X-Forwarded-* headers.

Syntax (how to read)

Forwarded is a comma-separated list of entries, each with semicolon-separated key=value pairs.

• Forwarded: for=203.0.113.10;proto=https;host=example.com
• Forwarded: for=192.0.2.43, for=198.51.100.17;proto=http
• Forwarded: for="_gazonk"

Examples (common patterns)

Forwarded is appended by intermediaries, so multiple entries are common. Which value to trust depends on your trusted proxy boundary.

• TLS terminated upstream: proto=https present (app can detect https)
• Host rewriting: unexpected host= can break redirects/URL generation
• Obfuscation: for=unknown or for=\"_...\" (policy-driven)

Glossary (terms used on this page)

• for: hint about the client (sender).
• by: the receiving proxy/gateway.
• host: the received host name.
• proto: the received scheme (http/https).

Why it helps (path and scheme mismatches)

App logic for IP/Host/Protocol depends on intermediaries. Forwarded helps you infer where it changed.

• HTTPS but detected as http → check if proto=https is present
• Host mismatch → verify host= in Forwarded
• Missing client IP → check whether for= is stripped/anonymized

Headers to check together (practical)

Don’t rely on Forwarded alone—compare with legacy X-Forwarded-* and path headers like Via to speed up troubleshooting.

• X-Forwarded-For: legacy client IP chain (often multi-hop)
• X-Forwarded-Proto: common for scheme detection
• X-Forwarded-Host: may exist when host is rewritten
• Via: proxy hop hints

Common pitfalls

• Both X-Forwarded-For and Forwarded exist with conflicting values
• Misreading entry order (leftmost isn’t always the closest client, depending on implementation)
• Blindly trusting untrusted headers (security risk)

Security notes (trust boundaries)

Forwarded can be spoofed by clients. You must define trust boundaries and have trusted proxies sanitize/overwrite it.

How to test (measure)

DevTools Network is quickest, but reproducing with curl makes it easy to share/debug (replace the URL).

• Check response headers with curl -I https://example.com/
• Forwarded is a request header, so also check server logs/app debug output

Debugging workflow (recommended)

• Extract Forwarded with Request Headers Parser
• Split for/by/host/proto here
• Check consistency with X-Forwarded-For / X-Forwarded-Proto

Troubleshooting checklist by symptom

• Wrong scheme detection: check proto=https, load balancer settings, and X-Forwarded-Proto consistency
• Client IP becomes proxy IP: suspect overwrites, reading the wrong entry, or misconfigured trust boundary
• Broken host/URL generation: verify host=, X-Forwarded-Host, and app proxy-trust configuration

Related tools

• Request Headers Parser
• Via Inspect
• Age Inspect
• Vary Inspect

What this tool does

• Split Forwarded entries by commas
• Extract for/by/host/proto and list them
• Extract Forwarded lines from full headers

Operational notes

• Intermediaries may rewrite headers. Compare captures from equivalent points.
• Confirm final decisions with server logs and configuration such as trusted proxy and routing.

Referenced specs

• RFC 9110 (HTTP Semantics)
• RFC 7239 (Forwarded)
• MDN: Forwarded

FAQ

References

1. RFC 9110
2. RFC 7239
3. MDN: Forwarded
4. MDN: Proxy servers and tunneling

Next to view (diagnostic order)

These links are generated from site_map rules in recommended diagnostic order.

1. X-Forwarded-For Inspect — Parse X-Forwarded-For/X-Real-IP to inspect client chain
2. Via Inspect — Parse Via to inspect intermediary proxy path
3. X-Forwarded-Proto Inspect — Parse X-Forwarded-Proto/Host to verify external URL inference