X-Real-IPX-Real-IP is a non-standard convention header that carries a single 'real client IP' as determined by the proxy to the backend. Unlike X-Forwarded-For, which lists a chain of IPs, it holds just one value.
It is commonly set in nginx via `proxy_set_header X-Real-IP $remote_addr;` so the backend can use the visitor IP directly without parsing.
Where XFF lists the whole path like `client, proxy1, proxy2`, X-Real-IP puts only the single value the proxy decided is 'the real client'. Backend code can use one value without list-parsing and trusted-proxy peeling — convenient, but that convenience rests on the premise that the proxy's decision is correct.
Because it is not standardized it has no spec-defined meaning, and in a multi-tier proxy chain the value depends on which proxy sets what. With several proxies in the middle, each may overwrite X-Real-IP, so it can end up holding the previous proxy's IP rather than the original client's. So trust it only when you fully control the trust boundary and configuration.
The security risk equals XFF's: outside the trust boundary a client can forge `X-Real-IP`, so the outermost trusted proxy must set (overwrite) this header itself and ignore externally supplied values. If standardizing, prefer Forwarded; for de facto compatibility rely on XFF and keep X-Real-IP as a secondary.
X-Real-IP: <client-ip>e.g. X-Real-IP: 203.0.113.7