What is the difference between X-Forwarded-For and X-Forwarded-IP?

Question

To obtain the client IP address in my ASP.NET application I've used the X-Forwarded-For, and get the first IP address from the list (accordingly to the information I've found, there is a client, proxy1, proxy2..). But I've heard recently that it is better to get this information from X-Forwarded-IP header because the client IP address in X-Forwarded-For can be modified by proxy, what is the difference, and which one address should I use?

Answer 1

X-Forwarded-For is a non-standard header, introduced originally by Squid. It is a proxy- specific header, that helps a server identify the original requestor of a call that did pass-through the proxy - so obviously any proxy on the request path should/will modify X-Forwarded-For. Without proxy on the request path, this header shouldn't even be in the request.

Because this header is non-standard, there is no guarantee you'll get it, and the way it is handled can differ on the proxy implementation. You have no guarantee either that it will contain a proper IP.

Since 2014, the IETF has approved a standard header definition for proxy, called "Forwarded", documented here https://www.rfc-editor.org/rfc/rfc7239 that should be use instead of X-Forwarded headers. This is the one you should use reliably to get originating IP in case your request is handled by a proxy.

In general, the proxy headers (Forwarded or X-Forwarded-For) are the right way to get your client IP only when you are sure they come to you via a proxy. If there is no proxy header or no usable value in, you should default to the REMOTE_ADDR server variable.

Answer 2

X-Forwarded-For is the conventional way of identifying the originating IP address of the user connecting to the web server coming from either a HTTP proxy, load balancer.

X-Forwarded-IP is the conventional way of identifying the originating IP address of the user connecting to the email server through an HTTP mail service.