Support for HTTP Forwarded header as a replacement for X-Forwarded-For?

An application compatibility bug I encountered today made me wonder whether Cloudflare has any plans to implement the standard Forwarded header defined in RFC 7239 (rfc7239) as a replacement for the non-standard X-Forwarded-For header since it standardizes some thorny compatibility issues.

The problem I encountered is that Cloudflare’s implementation of X-Forwarded-For does not use the IPv6 address format which includes square brackets, which breaks all requests handled by the Java Spring framework and the Spring developers feel that this is a problem which should be fixed by changing proxies to use that format:

Does any implementation of XFF use []? The use of colons in IPv6 addresses was always known to be a terrible choice. But using XFF is generally a bad idea as well, as any user can insert any garbage they like, and you end up having to do a lot of work to make sure you are looking at the correct address. For applications behind Cloudflare, the CF-Connecting-IP is a reliable way to identify the user.

X-Forwarded-For is definitely a mess since it grew organically, which made something like this predictable given how long it was before IPv6 was widely implemented enough for people to test with things like this. A transform rule to remove X-Forwarded-For/Forwarded is definitely a good idea for stripping user-provided values.

There’s apparently some spread on formats: Cloudflare and nginx do not use brackets but apparently other proxies do, enough so that the Spring developers feel that’s the correct behaviour. Microsoft’s Azure products even complicate it further by including the port number (address:port).

CF-Connecting-IP isn’t actually a solution to this issue because, while I agree that it’s better for many reasons, it doesn’t use the bracketed form and would cause Spring apps to fail in the same manner.

If Forwarded didn’t exist in a standardized form with better semantics I would have been looking into XFF normalizer or similar but it seems like it’d be better to pull things in the direction of the standard over time since that will handle a variety of other problems as well.