Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

X Forwarded For Single Header Insert

Problem this snippet solves: Many servers and applications expect only a single X-Forwarded-For header per request. However, the BIG-IP HTTP profile option appends a new X-Forwarded-For header to th...
Published Mar 18, 2015
Version 1.0
application delivery
content manipulation
devops
irules
Juraj's avatar
Juraj
Icon for Cirrus rankCirrus
Mar 21, 2017

The HTTP::header page says about 

HTTP::header replace  []
the following:

 

Replaces the value of the last occurrence of the header named with the string . This command performs a header insertion if the header was not present. If there are multiple instances of the header, only the last instance is replaced.

 

 

Just wondering, wouldn't it be safer to remove all existing instances of 

X-Forwarded-For
first, and then insert our own? That would make sure there's really only one instance of 
X-Forwarded-For
passed to the back-end web application:

 

when HTTP_REQUEST {
    HTTP::header remove X-Forwarded-For
    HTTP::header insert X-Forwarded-For [IP::client_addr]
}