I have a site behind CF which needs to preserve anonymity of clients as much as possible. To that end, we are trying to prevent any identifying information from the request headers before they are sent to the server. I have set up request header transform rules to remove cf-connecting-ip and x-forwarded-for headers. The cf-connecting-ip rule works, but the x-forwarded-for one does not. Aside from the header they modify, they are specified exactly the same, and I have even tried combining them into one rule, but still only cf-connecting-ip is removed.
I have seen in the documentation here that x-forwarded-for cannot be modified, but it doesn’t say anything about removal. By contrast, it explicitly says cf-connecting-ip can be removed.
So… is it actually possible to remove the x-forwarded-for header? It really should be… If this is supposed to work then what might I be doing wrong?
X-Forwarded-For, CF-Connecting-IP and True-Client-IP can be removed with Transform Rules, but not set, so yes i’d expect it to be removed.
The only edge case here potentially is if the HTTP request subsequently went to a Worker and generated a sub-request, that may result in a an XFF being re-added with a special Workers IP in the value - 2a06:98c0:3600::103.
Looks like you may have found a bug I’m sure this used to work. I’ve raised a bug and we’ll look at this in the new year.
I tested with removing cf-connecting-ip and true-client-ip and those both work, so i’m guessing a product or function downstream of Transform Rules is re-adding the XFF header. Very annoying, but we’ll get it fixed.
I don’t know what has happened over the weekend but when I tested this morning I am now also seeing the cf-connecting-ip header despite there being no changes to the transform rule which should remove it and was working last week…
For the record: Cloudflare’s “Remove visitor IP headers” Managed Transform is also currently not working and leaving the “X-Forwarded-For” header intact. Probably for the same reason.
Hope this can be fixed soon! It will remove a medium showstopper issue for my website.
Hey team, hope everything’s fine. Any news on this subject ? For EU-based companies it would be very, very usefull (not to say mandatory at some point) to be able to actually remove IP address (including from X-Forwarded-For headers). Thanks !
I confirm X-Forwarded-For is NOT removed
neither with ‘Managed Transform - Remove visitor IP headers’
nor Create Transform Rule - Modify Request Header
when with the same expression ‘User-Agent’ and ‘Accept-Language’ are properly removed.