The originating server of a client request.

Fastly reads this header from requests and writes it into requests. It is defined by an external standard.

For VCL services, Fastly will add or append X-Forwarded-Server headers on incoming requests over TLS, as follows:

  • Fastly's edge cache – if the request protocol is TLS.
  • Fastly's shield cache – if the origin has a TLS configuration and shielding is enabled.
  • Even if client connection is TLS, unless the origin connection is over TLS, nothing will be added or appended at the shield.


ShieldingRequest ProtocolOrigin ProtocolClient HeaderX-Forwarded-ServerNote
NoTLSTLSNocache-nrt6128-NRTAdded at edge
NoNon TLSTLSNonull
NoTLSTLSYesServer1, cache-nrt6146-NRTAppended
NoNon TLSTLSYesServer1Pass-through
NoTLSNon TLSNocache-nrt6128-NRTAdded at edge
NoNon TLSNon TLSNonull
NoTLSNon TLSYesServer1, cache-nrt6146-NRTAppended
NoNon TLSNon TLSYesServer1Pass-through
YesTLSTLSNocache-hnd18734-HND, cache-hkg17928-HKGAdded at edge and shield
YesNon TLSTLSNocache-hkg17933-HKGAdded at shield
YesTLSTLSYesServer1, cache-nrt6122-NRT, cache-hkg17925-HKGAdded at edge and shield
YesNon TLSTLSYesServer1, cache-hkg17926-HKGAdded at shield
YesTLSNon TLSNocache-hnd18723-HNDAdded at edge
YesNon TLSNon TLSNonull
YesTLSNon TLSYesServer1, cache-hnd18746-HNDAdded at edge
YesNon TLSNon TLSYesServer1Pass-through

Overriding multiple entries

To set a single value for this header, add the following to vcl_miss and vcl_pass:

set bereq.http.X-Forwarded-Server = server.hostname;

User contributed notes


Do you see an error in this page? Do have an interesting use case, example or edge case people should know about? Share your knowledge and help people who are reading this page! (Comments are moderated; for support, please contact support@fastly.com)