I have a site behind CF which needs to preserve anonymity of clients as much as possible. To that end, we are trying to prevent any identifying information from the request headers before they are sent to the server. I have set up request header transform rules to remove cf-connecting-ip and x-forwarded-for headers. The cf-connecting-ip rule works, but the x-forwarded-for one does not. Aside from the header they modify, they are specified exactly the same, and I have even tried combining them into one rule, but still only cf-connecting-ip is removed.
I have seen in the documentation here that x-forwarded-for cannot be modified, but it doesnāt say anything about removal. By contrast, it explicitly says cf-connecting-ip can be removed.
Soā¦ is it actually possible to remove the x-forwarded-for header? It really should beā¦ If this is supposed to work then what might I be doing wrong?
X-Forwarded-For, CF-Connecting-IP and True-Client-IP can be removed with Transform Rules, but not set, so yes iād expect it to be removed.
The only edge case here potentially is if the HTTP request subsequently went to a Worker and generated a sub-request, that may result in a an XFF being re-added with a special Workers IP in the value - 2a06:98c0:3600::103.
Iām able to remove cf-connecting-ip, but x-forwarded-for remains. My favorite test domain, of course. I added a /header.php script to display request headers.
OK, well why doesnāt it work then? @sdayman below has reproduced the same problem Iām having, itās not an edge case, just plain standard x-forwarded-for headers with ipv4 addresses in themā¦
Looks like you may have found a bug Iām sure this used to work. Iāve raised a bug and weāll look at this in the new year.
I tested with removing cf-connecting-ip and true-client-ip and those both work, so iām guessing a product or function downstream of Transform Rules is re-adding the XFF header. Very annoying, but weāll get it fixed.
Hi @mabba - this is still not working for me. Our test script which echoes request headers still has x-forwarded-for in it, despite having a transform rule to remove it.
We are removing the header, so you wonāt be able to see any value that is being sent to us, but it seems you are still seeing a value, which is a Cloudflare IP.
Your request is to NOT see the header at all, even if it is providing only a Cloudflare IP?
Seeing a Cloudflare IP would be acceptable but we would prefer the header was actually removed since that is what the rule is supposed to do. It should work the same way it does for cf-connecting-ip
I donāt know what has happened over the weekend but when I tested this morning I am now also seeing the cf-connecting-ip header despite there being no changes to the transform rule which should remove it and was working last weekā¦
For the record: Cloudflareās āRemove visitor IP headersā Managed Transform is also currently not working and leaving the āX-Forwarded-Forā header intact. Probably for the same reason.
Hope this can be fixed soon! It will remove a medium showstopper issue for my website.
Hey team, hope everythingās fine. Any news on this subject ? For EU-based companies it would be very, very usefull (not to say mandatory at some point) to be able to actually remove IP address (including from X-Forwarded-For headers). Thanks !
I confirm X-Forwarded-For is NOT removed
neither with āManaged Transform - Remove visitor IP headersā
nor Create Transform Rule - Modify Request Header
when with the same expression āUser-Agentā and āAccept-Languageā are properly removed.
Iām sure this used to work. Iāve raised a bug and weāll look at this in the new year.