Forum Discussion

Nimbostratus

Oct 30, 2013

Prevent X-Forwarded-For spoofing

We insert an X-Forwarded-For header to pass back to our web servers. One application we have looks to this header to allow or deny certain servers access to us. However, we want to prevent spoofing t...

Nimbostratus

Oct 30, 2013

Right, but won't the HTTP policy then also put on an addition X-Forwarded-For header? My thought is an iRule to do it all.

Basic logic now:

If a header exists coming in, remove and create your own.

THEN

HTTP policy adds another header.

I am thinking a single rule that works like:

If a header exists coming in, remove and create your own. Else if no header, create your own.

THEN

HTTP policy does nothing regarding XFF headers.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Prevent X-Forwarded-For spoofing

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

SSL Bridging and FQDN rewrite Policy

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

Could not communicate with the system. Try to reload page.

F5 BIG IP laboratory license

F5 mssql health monitor failing

Related Content

Prevent a Spoof of an X-Forwarded-For Request with BIG-IP

Extracting X-Forwarded-For in Node.js

X-Forwarded-For Log Filter for Windows Servers

X Forwarded For Single Header Insert

TCP Option 28 X-Forwarded-For Header

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS