We all know by now that the leftmost values in the X-Forwarded-For
header can be spoofed and only the rightmost IPs – added by your own reverse proxies – can be trusted. The Forwarded
header (RFC 7239, 2014) has that same problem, and a new one: If the header is parsed correctly, an attacker can sabotage the whole header.
Let’s take a quick trip to understanding how that can happen and how complicated Forwarded
parsing can get. (Think about how you’d parse the header as we go.)