- The perils of the “real” client IP | adam-p
This post ended up being incredibly long comprehensive. I’m afraid that many people won’t read enough to get everything that’s important, so here are the key points: When deriving the “real client IP address” from the X-Forwarded-For header, use the rightmost IP in the list. The leftmost IP in the XFF header is commonly considered to be “closest to the client” and “most real”, but it’s trivially spoofable. Don’t use it for anything even close to security-related.