I have a site behind CF which needs to preserve anonymity of clients as much as possible. To that end, we are trying to prevent any identifying information from the request headers before they are sent to the server. I have set up request header transform rules to remove cf-connecting-ip and x-forwarded-for headers. The cf-connecting-ip rule works, but the x-forwarded-for one does not. Aside from the header they modify, they are specified exactly the same, and I have even tried combining them into one rule, but still only cf-connecting-ip is removed.
I have seen in the documentation here that x-forwarded-for cannot be modified, but it doesn’t say anything about removal. By contrast, it explicitly says cf-connecting-ip can be removed.
So… is it actually possible to remove the x-forwarded-for header? It really should be… If this is supposed to work then what might I be doing wrong?
X-Forwarded-For, CF-Connecting-IP and True-Client-IP can be removed with Transform Rules, but not set, so yes i’d expect it to be removed.
The only edge case here potentially is if the HTTP request subsequently went to a Worker and generated a sub-request, that may result in a an XFF being re-added with a special Workers IP in the value -
I’m able to remove cf-connecting-ip, but x-forwarded-for remains. My favorite test domain, of course. I added a /header.php script to display request headers.
OK, well why doesn’t it work then? @sdayman below has reproduced the same problem I’m having, it’s not an edge case, just plain standard x-forwarded-for headers with ipv4 addresses in them…
Looks like you may have found a bug I’m sure this used to work. I’ve raised a bug and we’ll look at this in the new year.
I tested with removing cf-connecting-ip and true-client-ip and those both work, so i’m guessing a product or function downstream of Transform Rules is re-adding the XFF header. Very annoying, but we’ll get it fixed.
Well thanks for confirming the bug. How can I get notified when it has been fixed please?
I’ll post in this thread to confirm.
Hey folks, this is currently available, let us know if it doesn’t work!
Hi @mabba - this is still not working for me. Our test script which echoes request headers still has x-forwarded-for in it, despite having a transform rule to remove it.
Hi @Shogun , let me sync with the team.
We are removing the header, so you won’t be able to see any value that is being sent to us, but it seems you are still seeing a value, which is a Cloudflare IP.
Your request is to NOT see the header at all, even if it is providing only a Cloudflare IP?
No, I am seeing my public IP in the header (which is actually a VPN exit node).
Seeing a Cloudflare IP would be acceptable but we would prefer the header was actually removed since that is what the rule is supposed to do. It should work the same way it does for cf-connecting-ip
I don’t know what has happened over the weekend but when I tested this morning I am now also seeing the cf-connecting-ip header despite there being no changes to the transform rule which should remove it and was working last week…
Are there any updates on this one please?
I’m afraid we don’t have any update on this ATM
Do you know if this bug is being actively worked on?
Yes it is! We will update this topic when we will have updates
For the record: Cloudflare’s “Remove visitor IP headers” Managed Transform is also currently not working and leaving the “X-Forwarded-For” header intact. Probably for the same reason.
Hope this can be fixed soon! It will remove a medium showstopper issue for my website.