Can X-Forwarded-For be removed?

Hi. We are currently under audit by our Data Protection Authority because of a complaint related to data transfers to the US. I can confirm to you that the DPA evaluated this option and concluded it DOESN’T WORK. Because the IP address cannot be removed from header the US secret services can access it, and because there is no timeline to solve this problem they will publicly say that using Cloudflare doesn’t comply with GDPR, like Google Analytics :frowning:

Ah again. Well, hiding the X-Forwarded-For does not change anything, than conceal the fact, that data are getting send to the US. And that’s why most companies I ever worked for do have a “no data leav the country policy”.

That, I guess is not true. The info who it was forwarded for, does not allow the US Secret Service to look into, but sending to/storing data on US Servers does. Also, if you are really concerned about the US Secret Service is reading your data, then please do not use any US-Service, as they ALL need to comply with US law.

IMHO it does not comply with the EU-GDPR in many ways. They say they do, but actually they don’t. Please also specify which GDPR you are talking about?
The EU one? Any other GDPR? Which country - as many also have differend standards/definitions.

But at the end it is like this:
concealing facts to pass an audit really is not very clever. If you know things you do are against the law/GDPR fix them, don’t conceal them. And removing some headers does not solve the problem.

Hi Mabba,

Its been 6 months since our last check-in - I was wondering if there is any progress on solving this issue please?

Regards,
Brenton

Hi no updates yet. We had to make a choice in competing priorities, and this is, unfortunately, considered lower priority with respect to other parallel workflows. We will revisit it as soon as possible, but we don’t have timelines to share.

any news? bruh

We have just discovered this bug in our setup too. It would be great to understand if this will be fixed!

We’re seeing this bug now as well. I have a Worker making a subrequest to proxy API calls for a client app and I’m able to see the client IP on the server side.

I have a HTTP Request Header Modification Rule set up to remove these headers for any GET request and I also have the Remove IP option enabled under Managed Transforms.

When I look at the headers on the server side, I’m still able to see my actual IP address and user agent.

Hi All

The fix is on our to do list, but we do not have an ETA on when this will be done.

1 Like

Are there any updates? The issue was identified in 2021.