Forwarded
Request header Routing

Overview

Forwarded is the standardized header (RFC 7239) by which a reverse proxy passes the original client, protocol, and host to backend servers in a single, well-defined header. It unifies the sprawl of ad hoc `X-Forwarded-*` headers.

The value groups name-value pairs like `for`, `by`, `host`, and `proto` with semicolons, and chains one group per proxy hop with commas (e.g. `for=192.0.2.60;proto=https;by=203.0.113.43`).

Details

Where `X-Forwarded-For`, `X-Forwarded-Host`, and `X-Forwarded-Proto` were scattered across separate headers, Forwarded packs them as parameters in one header, preserving order and pairing across multiple hops. When an IPv6 address or port is present the value is quoted (`for="[2001:db8::1]:8080"`), and for privacy you can use opaque identifiers like `for=_hidden` or `for=unknown`.

Despite being the standard, field adoption still favors `X-Forwarded-*`, because many load balancers, frameworks, and proxies emit the legacy headers by default. For new designs prefer Forwarded, but verify that upstream and downstream components parse it.

For security, this value too can be forged by clients or intermediaries, so don't trust it blindly. A proxy at the trust boundary should validate and rewrite incoming Forwarded, and the application should use only the value appended by a proxy it trusts. With multiple hops, walk the trust chain to determine the real client entry.

Syntax

Forwarded: for=<client>[;by=<proxy>][;host=<host>][;proto=<scheme>][, ...]

e.g. Forwarded: for=192.0.2.60;proto=https;by=203.0.113.43

Directives / values

for=<node>The client (or preceding node) that made the request to the proxy: an IP or opaque token (`_hidden`); IPv6 must be quoted.
by=<node>The interface/proxy that received the request; used for internal routing traces.
host=<host>The original Host header the client requested, before the proxy rewrote it.
proto=<scheme>The scheme of the original request (`http` or `https`).

Notes

Related headers

Specification