The originating IP address of a client request.

Fastly reads this header from requests and writes it into requests. It is defined by an external standard.

For VCL services, Fastly will add or append X-Forwarded-For headers on incoming requests over TLS, as follows:

  • The client IP – if the request protocol is TLS.
  • The edge IP – if the origin has a TLS configuration and shielding is enabled.
  • Even if client connection is TLS, unless the origin connection is over TLS, nothing will be added or appended at the shield.

The value is not protected from modification at the edge of the Fastly network, so if a client sets this header itself, we will use it. If you want to prevent this, set the value yourself in VCL:

Fastly VCL
if (fastly.ff.visits_this_service == 0 && req.restarts == 0) {
set req.http.X-Forwarded-For = client.ip;


ShieldingRequest ProtocolOrigin ProtocolClient HeaderX-Forwarded-ForNote
NoTLSTLSNo210.191.60.193Added at edge
NoNon TLSTLSNonull
NoNon TLSTLSYes1.1.1.1Pass-through
NoTLSNon TLSNo210.191.60.193Added at edge
NoNon TLSNon TLSNonull
NoTLSNon TLSYes1.1.1.1,
NoNon TLSNon TLSYes1.1.1.1Pass-through
YesTLSTLSNo118.6.192.181, at edge (client IP) and shield (edge IP)
YesNon TLSTLSNo157.52.91.44Added at shield (edge IP)
YesTLSTLSYes1.1.1.1,, at edge (client IP) and shield (edge IP)
YesNon TLSTLSYes1.1.1.1, at shield (edge IP)
YesTLSNon TLSNo118.6.192.181Added at edge (client IP)
YesNon TLSNon TLSNonull
YesTLSNon TLSYes1.1.1.1, at edge (client IP)
YesNon TLSNon TLSYes1.1.1.1Pass-through

Overriding multiple entries

To set a single value for this header, add the following to vcl_miss and vcl_pass:

set bereq.http.X-Forwarded-For = client.ip;

User contributed notes


Do you see an error in this page? Do have an interesting use case, example or edge case people should know about? Share your knowledge and help people who are reading this page! (Comments are moderated; for support, please contact support@fastly.com)