X-Forwarded-For Header: How to Get the Real Client IP Behind a Proxy
Understand the X-Forwarded-For header, how it can be spoofed, and the safe way to extract a real client IP when your server sits behind a proxy or CDN.
Header format and order
The `X-Forwarded-For` header is a comma-separated list of IPs added by proxies, often shaped like `client, proxy1, proxy2`. Many apps use the leftmost value as the original client IP, but that is safe only when the header chain is controlled by trusted infrastructure.
If any public client can send requests directly to your app, it can also send a fake `X-Forwarded-For` header. Your server must know which proxy added or sanitized the header before using it for rate limits, logging, or security decisions.
Trusted proxy pattern
A safer pattern is to maintain a trusted proxy list and walk the forwarded chain from right to left until you reach the first untrusted address. In TypeScript, that means parsing the header into IP strings, validating each item, and comparing proxy hops against your known load balancer or CDN ranges.
Cloudflare users should prefer `CF-Connecting-IP` when requests are guaranteed to come through Cloudflare. Vercel and many load balancers expose `x-real-ip` or normalized forwarded headers, but you should still confirm the deployment behavior.
Use the result responsibly
Once extracted, normalize the IP and store the original header only if you have a clear debugging or security need. Be careful with private, loopback, malformed, or reserved addresses because they should not be treated as public user locations.
For high-risk decisions, combine the extracted client IP with account history, request velocity, authentication state, and lookup results. Crafzo is useful for checking whether the chosen IP belongs to the expected country, ISP, or proxy type.
How to read proxy and VPN signals without overblocking
VPN and proxy detection is a context signal. Many legitimate users rely on privacy tools, workplace VPNs, or travel connections. The important question is whether the action being attempted is sensitive enough to require more proof.
Anonymous infrastructure becomes more concerning when it appears with automation, high fraud scores, repeated signups, payment attempts, credential attacks, or inconsistent device signals. Without those patterns, a proxy result may only deserve logging or a lightweight challenge.
A healthy policy separates browsing from high-risk workflows. Allow ordinary access where possible, then add verification for account recovery, checkout, admin actions, token creation, bulk scraping, or repeated failed authentication.
For a live example, run the relevant address through Crafzo IP Lookup or open the VPN and Proxy IP Checker to compare the article guidance with real lookup fields.
Signals to compare before acting
| Signal | What to check | Practical use |
|---|---|---|
| VPN or proxy flag | Is the address known or likely to be anonymized? | Use as a reason for extra verification on sensitive actions. |
| Hosting or data center | Does the provider look like cloud, server, CDN, or VPN infrastructure? | Useful for separating consumer sessions from automation-friendly networks. |
| Location mismatch | Does the visible location conflict with account, shipping, billing, or recent login history? | Good review signal when paired with stronger account evidence. |
| Behavior | Are requests too fast, too broad, or repeated across many accounts? | Behavior confirms whether the privacy tool is becoming abuse. |
Practical checklist
- Do not block every VPN user by default.
- Challenge VPN or proxy sessions only when the workflow is sensitive.
- Compare provider, ASN, and behavior before enforcement.
- Document whether the issue is privacy-tool use or actual abuse.
Frequently Asked Questions
Can X-Forwarded-For be faked?
Yes. Any client can send that header unless your trusted proxy strips or rewrites it before traffic reaches the app.
Which IP in X-Forwarded-For is real?
The original client is often the leftmost IP, but that rule is only safe when the entire proxy chain is trusted. In more complex setups, validate from the trusted edge inward.
How do I validate the forwarded IP?
Parse each value as IPv4 or IPv6, reject malformed entries, and trust only headers delivered by your own proxy or CDN. Then compare proxy hops against a maintained trusted range list.
Check an IP Address Now
Use the free Crafzo IP Lookup tool to check IP location, risk score, and AI-powered IP health.
Open IP lookup