We all know by now that the leftmost values in the
X-Forwarded-For header can be spoofed and only the rightmost IPs – added by your own reverse proxies – can be trusted. The
Forwarded header (RFC 7239, 2014) has that same problem, and a new one: If the header is parsed correctly, an attacker can sabotage the whole header.
Let’s take a quick trip to understanding how that can happen and how complicated
Forwarded parsing can get. (Think about how you’d parse the header as we go.)