---
title: "X-Forwarded-For"
slug: "x-forwarded-for"
updated: 2025-05-21T10:16:28Z
published: 2025-05-21T10:16:28Z
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.qwilt.com/llms.txt
> Use this file to discover all available pages before exploring further.

# X-Forwarded-For

## Overview

The *X-Forwarded-For* header is an HTTP header used to identify the originating IP address of a client (end-user) when a request passes through intermediaries like proxies, load balancers, or CDNs. Without this header, the client's IP address would be hidden, as the server would only see the IP of the last intermediary.

The structure of this header is: `X-Forwarded-For: client1, proxy1, proxy 2` where *client1* is the IP address of the original client, and *proxy1, proxy2* are the IP addresses of any intermediaries (proxies) that the request passed through.

By default, the CDN excludes the *X-Forwarded-For* header from origin requests. If the header is present in the client request to the CDN, it is automatically removed by the CDN before the request is forwarded to the origin.

To include the *X-Forwarded-For* header in the origin request, configure an *X-Forwarded-For* rule. Use the rule parameters to specify which IPs to include in the header.

The IPs are transmitted as plain text within the header.

## Configure the Rule

Here, we'll describe how to configure the rule with the Delivery Service Management UI.

API Users may choose to [build the site configuration offline](https://api-docs.qwilt.cqloud.com/docs/CDN%20APIs/Sites%20API/prepare-the-configuration-json).

**To configure an X-Forwarded-For rule:**

1. [Navigate to the Select Rule dialog](/v1/docs/add-a-rule).
2. In the Select Rule dialog, choose **X-Forwarded-For**.
3. In the X-Forwarded-For Rule dialog, Toggle on the **Send X-Forwarded-For header** option.

![XFF1.png](https://cdn.document360.io/fa039225-513b-46a1-ba78-a57a1f1cb7c6/Images/Documentation/XFF1.png)

This instructs the CDN to include the *X-Forwarded-For* header in the request to the origin. (If the client request does not already include the header, it is added to the request by the CDN.)
4. Set the additional rule parameters to determine exactly what data is passed with the *X-Forwarded-For* header.

The header always includes the detected IP address of the entity directly connecting to the CDN to request content. If the request is made through a proxy server, the detected IP is the proxy server's IP address and not the actual end-user's IP address.

![XFFrule.png](https://cdn.document360.io/fa039225-513b-46a1-ba78-a57a1f1cb7c6/Images/Documentation/XFFrule.png)

| Parameter | Description |
| --- | --- |
| **Header Existing Values** | Specifies how the CDN handles any *X-Forwarded-For* values included in the client request. - **Remove Existing Values** - Removes all *X-Forwarded-For* values from the client request, if header is present. - **Preserve Existing Values** - Preserves all *X-Forwarded-For* values from the client request, if the header is present. |
| **Append Qwilt node IPs** | Instructs the CDN to include or exclude the IP addresses of the CDN caches in the request path. |
5. Choose **Add Rule**.

## SVTA Component: QW.HdrXFwFor

When you save the configuration version, the *QW.HdrXFwFor* SVTA component is added to the configuration JSON. This is a [private feature developed by Qwilt](https://api-docs.qwilt.cqloud.com/docs/CDN%20APIs/Sites%20API/Site%20Configuration%20JSON%20Format/prepare-the-configuration-json#qwilt-private-features).

### Parameters

| Field | Valid Values | Default value | Description |
| --- | --- | --- | --- |
| sendXFFHeader | true, false | false | Specifies whether the *X-Forwarded-For* header is included in the origin request. |
| existingValues | preserve, remove | remove | Defines whether to retain existing *X-Forwarded-For* values from the client request. |
| appendQwiltNodeIPs | true, false | false | Determines whether the IP addresses of the CDN caches in the request path are appended to the header. |

### Examples

This example configuration directs the CDN to send a header containing only the detected IP address of the entity that directly connected to the CDN to request content. If the request is made through a proxy server, the detected IP is the proxy server's IP address instead of the actual end-user's IP address.

```
{
"generic-metadata-type": "MI.PrivateFeature.Qwilt.QW.HdrXFwFor",
"generic-metadata-value": {
        "sendXFFHeader": true,
        "existingValues": "remove",
        "appendQwiltNodeIPs": false
    }
}
```

**Preserve Existing Values** In this example:

- If the client request includes the *X-Forwarded-For* header, the CDN preserves the existing header values and appends the detected client IP.
- If the client request does not include the *X-Forwarded-For* header, the CDN adds the header to the origin request with the detected client IP as its value.

```
{
"generic-metadata-type": "MI.PrivateFeature.Qwilt.QW.HdrXFwFor",
"generic-metadata-value": {
        "sendXFFHeader": true,
        "existingValues": "preserve",
        "appendQwiltNodeIPs": false
    }
}
```

**Preserve Existing Values and Append Qwilt Node IPs** In this example:

- If the client request includes the *X-Forwarded-For* header, the CDN preserves the existing header values and appends the detected client IP along with the Qwilt node (Qwilt cache) IPs.
- If the client request does not include the *X-Forwarded-For* header, the CDN adds the header to the origin request, setting its value to the detected client IP and Qwilt node (Qwilt cache) IPs.

```
{
"generic-metadata-type": "MI.PrivateFeature.Qwilt.QW.HdrXFwFor",
"generic-metadata-value": {
        "sendXFFHeader": true,
        "existingValues": "preserve",
        "appendQwiltNodeIPs": true
    }
}
```

**Remove Existing Values and Append Qwilt Node IPs** In this example:

- If the client request includes the *X-Forwarded-For* header, the CDN removes the existing header values and replaces them with the detected client IP and the Qwilt node (Qwilt cache) IPs.
- If the client request does not include the *X-Forwarded-For* header, the CDN adds the header to the origin request, setting its value to the detected client IP and Qwilt node (Qwilt cache) IPs.

```
{
"generic-metadata-type": "MI.PrivateFeature.Qwilt.QW.HdrXFwFor",
"generic-metadata-value": {
        "sendXFFHeader": true,
        "existingValues": "remove",
        "appendQwiltNodeIPs": true
    }
}
```