Reminder that the following http headers are "protected" headers that malicious client's can and will spoof to exploit bad server configuration - X-Forwarded-For - X-Forwarded-Proto - X-Forwarded-Server - X-Real-IP I would suggest if you're developing server software that uses values from any of these headers, it does so only from trusted downstream proxy servers.