X-Forwarded-For Inspect

What does this tool do?

Split the X-Forwarded-For IP list and show how to interpret leftmost/rightmost entries. It also displays X-Real-IP if present.

Designed to clarify the common question: “Which is the real client IP?”

X-Forwarded-For basics

• X-Forwarded-For is non-standard but widely used.
• It’s a comma-separated list of IPs (grows with proxy hops).
• Leftmost is often closest to the original client, but interpretation depends on trust boundaries.

Syntax (how to read)

X-Forwarded-For is a list like “IP, IP, IP”. Spaces may appear.

• X-Forwarded-For: 203.0.113.1
• X-Forwarded-For: 203.0.113.1, 198.51.100.2
• X-Forwarded-For: 203.0.113.1, 198.51.100.2, 10.0.0.10

Which IP should you use? (practical approach)

The practical answer is: define your trusted proxies and only accept IPs outside that boundary. Choosing purely by position is spoofable.

• Ensure only the trusted edge (LB/CDN) sets/overwrites X-Forwarded-For
• Configure the app with trusted proxy count/ranges and pick the first IP outside it
• If private/loopback appears, it may be internal hops or misconfiguration—be careful

Glossary (terms used on this page)

• Client IP: the IP closest to the end user (within trusted boundaries).
• Proxy chain: the list of intermediaries that grows the header.
• Trust boundary: which proxies you trust; outside of it, values are untrusted.

Why it helps (real-world confusion)

X-Forwarded-For interpretation depends on who appended it. You must define trusted proxies to interpret it correctly.

• Leftmost is not always the client (can be spoofed)
• Rightmost is not always your last proxy (path/config differences)

Relationship to X-Real-IP

X-Real-IP is often a single IP and commonly matches the leftmost X-Forwarded-For. Which to trust depends on proxy setup.

Common pitfalls

• Apps blindly trust headers for IP allowlists (spoofing risk)
• Misconfigured trust boundaries make proxy IPs look like clients
• Private/local IPs can appear (10.x / 192.168.x, etc.)

Security notes (trust boundaries)

X-Forwarded-For can be spoofed by clients. Only use values sanitized by trusted proxies.

Troubleshooting checklist by symptom

• IP allowlist bypass: likely trusting XFF too much. Ensure you don’t accept values outside trust boundary
• Always same IP: you may be seeing the last proxy, overwrites, or missing trusted-proxy config
• Private IP appears: internal path leak or misconfig. Find where header is set

How to test (measure)

X-Forwarded-For is a request header, so DevTools and server logs are the most reliable sources.

• DevTools → Network → Request Headers to check XFF/X-Real-IP (may be hidden if only added between proxies)
• Compare the app/proxy access logs (chosen client IP) with raw header values
• Also check Forwarded (Forwarded Inspect) for consistency

Debugging workflow (recommended)

• Extract X-Forwarded-For / X-Real-IP using Request Headers Parser
• Split the IP chain here and check order
• Check consistency with the Forwarded header

Related tools

• Forwarded Inspect
• Via Inspect
• Request Headers Parser
• What is my IP

What this tool does

• Split X-Forwarded-For into an IP list
• Show X-Real-IP if present
• Extract X-Forwarded-For / X-Real-IP from full headers

Operational notes

• Intermediaries may rewrite headers. Compare captures from equivalent points.
• Confirm final decisions with server logs and configuration such as trusted proxy and routing.

Referenced specs

• RFC 9110 (HTTP Semantics)
• MDN: X-Forwarded-For

FAQ

References

1. RFC 9110
2. MDN: X-Forwarded-For
3. MDN: Proxy servers and tunneling

Next to view (diagnostic order)

These links are generated from site_map rules in recommended diagnostic order.

1. X-Forwarded-Proto Inspect — Parse X-Forwarded-Proto/Host to verify external URL inference
2. Forwarded Inspect — Parse Forwarded to inspect forwarding path data
3. Via Inspect — Parse Via to inspect intermediary proxy path