Merge pull request #3613 from nickcmaynard/fix-ip-header-ordering

Fix ordering to allow X-Forwarded-For to be correctly managed by Cloudflare
2026-02-04 04:37:11 +01:00 · 2025-09-16 20:57:20 -07:00 · 2025-09-16 20:57:20 -07:00 · aa398201be
commit aa398201be
parent 840e0314f5 2826daad1a
2 changed files with 15 additions and 5 deletions
--- a/src/lib/tests/detect.test.ts
+++ b/src/lib/tests/detect.test.ts
@ -2,6 +2,7 @@ import * as detect from '../detect';
 import { expect } from '@jest/globals';

 const IP = '127.0.0.1';
+const BAD_IP = '127.127.127.127';

 test('getIpAddress: Custom header', () => {
  process.env.CLIENT_IP_HEADER = 'x-custom-ip-header';
@ -17,6 +18,12 @@ test('getIpAddress: Standard header', () => {
  expect(detect.getIpAddress(new Headers({ 'x-forwarded-for': IP }))).toEqual(IP);
 });

+test('getIpAddress: CloudFlare header is lower priority than standard header', () => {
+  expect(
+    detect.getIpAddress(new Headers({ 'cf-connecting-ip': BAD_IP, 'x-forwarded-for': IP })),
+  ).toEqual(IP);
+});
+
 test('getIpAddress: No header', () => {
  expect(detect.getIpAddress(new Headers())).toEqual(null);
 });
--- a/src/lib/constants.ts
+++ b/src/lib/constants.ts
@ -333,17 +333,20 @@ export const BROWSERS = {
  yandexbrowser: 'Yandex',
 };

+// The order here is important and influences how IPs are detected by lib/detect.ts
+// Please do not change the order unless you know exactly what you're doing - read https://developers.cloudflare.com/fundamentals/reference/http-headers/
 export const IP_ADDRESS_HEADERS = [
-  'cf-connecting-ip',
+  'x-client-ip',
+  'x-forwarded-for',
+  'cf-connecting-ip', // This should be *after* x-forwarded-for, so that x-forwarded-for is respected if present
  'do-connecting-ip',
  'fastly-client-ip',
-  'forwarded',
  'true-client-ip',
-  'x-appengine-user-ip',
-  'x-client-ip',
+  'x-real-ip',
  'x-cluster-client-ip',
  'x-forwarded',
-  'x-forwarded-for',
+  'forwarded',
+  'x-appengine-user-ip',
  'x-nf-client-connection-ip',
  'x-real-ip',
 ];