Proxy Server Checker

Evidence {{ analysis.score }}/100 Signals {{ signalRows.length }} Chain {{ chainRows.length }} {{ profileLabel }}

Client Proxy Edge App {{ analysis.score }}%

Check source:

Pasted headers stay local. Current request mode is network-bound and uses the tool Lambda when available.

Paste headers Current request

Current request check:

Use this when the Lambda is deployed; failures leave the pasted sample untouched.

Analysis profile:

Pick the reason you are reviewing these headers before reading the playbook.

Observed remote address:

Paste the access-log remote address when you have it; leave blank when reviewing only header text.

Trusted edge hops:

The address ledger walks from the right side of the chain to find the first non-trusted client candidate.

hop(s)

0 {{ trustedHopLabel }} 5

Request headers:

Recognizes raw headers, CGI-style `HTTP_` names, `REMOTE_ADDR`, `Forwarded`, `Via`, and common CDN client-IP headers.

Strict Forwarded syntax:

Leave off for mixed server logs; turn on when validating proxy output for a standard-compliant edge.

Header	Signal	Strength	Observed value	Finding	Copy
{{ row.header }}	{{ row.signal }}	{{ row.strength }}	{{ row.value }}	{{ row.finding }}

Position	Address or token	Source	Role	Trust note	Copy
{{ row.position }}	{{ row.address }}	{{ row.source }}	{{ row.role }}	{{ row.note }}

Priority	Action	Reason	Owner	Copy
{{ row.priority }}	{{ row.action }}	{{ row.reason }}	{{ row.owner }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A web request often reaches an application after passing through several network devices and services. A home router, office gateway, VPN, forward proxy, content delivery network, load balancer, reverse proxy, ingress controller, or application firewall can all change what the receiving server sees. By the time an application writes an access log, the network connection may identify only the last edge hop, while HTTP headers carry claims about the earlier path.

Proxy headers are useful because they explain gaps between the address on the TCP connection and the address a user, CDN, or upstream service expects to see. They are also risky because most of them are ordinary request headers unless a trusted proxy removes untrusted input and writes fresh values. A client can forge X-Forwarded-For, a proxy can append values in the wrong order, and a CDN client-IP header is trustworthy only when the request really arrived through that CDN.

Support teams compare browser IP reports with server logs when a customer appears to come from an unexpected address.
Platform teams choose which hop should feed access logs, rate limits, geolocation, abuse controls, and trusted-proxy settings.
Privacy reviewers look for VPN, relay, or transparent-proxy clues that may expose the original client address.
Security teams check whether direct origin access or spoofed forwarding headers could bypass an edge policy.

Diagram showing proxy header trust from client claim through forwarding headers to a trusted edge and application.

Header families describe different evidence. X-Forwarded-For and Forwarded can carry address chains. Via, cache, and served-by headers show that an intermediary handled the request even when no client address is exposed. Provider headers such as CF-Connecting-IP, True-Client-IP, or edge request IDs can help correlate CDN traffic, but they still need provider range checks and origin-bypass protection.

A proxy review is a trust-boundary check, not a search for a single magic header. The same header block can support debugging, privacy review, or hardening work, but it cannot prove a visitor's identity by itself. It shows what the receiver observed and what the intermediaries chose to disclose.

How to Use This Tool:

Analyze one request observation at a time so the score, address chain, and playbook actions describe the same path.

Choose Check source. Use Paste headers for a raw request header block, access-log excerpt, or server environment dump. Use Current request when you want the checking service to observe the request reaching the site.
If you paste data, include proxy-related lines and Observed remote address when you have it. The parser accepts colon or equals style entries, folded lines, CGI-style names, REMOTE_ADDR, Forwarded, Via, X-Forwarded-For, and common CDN client-IP headers.
Select Analysis profile. Privacy or VPN check emphasizes leakage clues, Reverse-proxy log review emphasizes trusted-proxy configuration, and CDN or load balancer edge emphasizes provider ranges and origin-bypass checks.
Set Trusted edge hops to the number of controlled hops at the right end of the address chain. If you are unsure, start with 0 or 1, then compare the first untrusted candidate with the real reverse proxy, CDN, ingress, or load balancer path.
Turn on Strict Forwarded syntax when validating a standards-compliant edge. Leave it off for mixed server logs where malformed fragments would distract from the main forwarding evidence.
Read the summary, then compare Proxy Signal Ledger, Address Chain Ledger, Exposure Playbook, and Proxy Evidence Mix. If current-request mode reports that the service is unavailable, switch back to pasted headers or retry after the checking service is reachable.

A useful review ends with a plausible remote address, a trusted-hop count that matches real infrastructure, and a playbook action that can be verified outside the page.

Interpreting Results:

The evidence score measures recognized proxy, CDN, forwarding, edge-identity, and scheme-metadata signals in the submitted sample. It is not a privacy grade, a fraud score, or proof that a client-IP header is truthful. A high score usually means the request path left visible evidence; it does not mean the left-most address should drive access control, rate limiting, or abuse response.

Proxy checker result cues and verification steps
Visible cue	Usual meaning	Verify next
Transparent proxy signal	Forwarding evidence and a multi-hop address chain are present.	Confirm the trusted hops match the actual reverse proxy, ingress, CDN, or load balancer path.
CDN edge signal	A provider-style client-IP or edge identifier appears with chain evidence.	Verify provider IP ranges and block direct origin access before trusting the client-IP value.
Anonymous proxy signal	Proxy or cache disclosure exists, but no original client address is clearly exposed.	For privacy checks, compare browser IP, DNS, WebRTC, and provider logs rather than relying on headers alone.
Forwarded chain needs trust review	Strict syntax checking found a malformed `Forwarded` segment.	Fix the producing proxy or collect a cleaner sample before using that chain for policy decisions.
No proxy header found	No recognized proxy or CDN header was present in the sample.	Do not assume the path is direct; opaque proxies, NAT, mobile carriers, and provider logs may still affect the remote address.

The safest client candidate is normally the address immediately before the trusted edge window. Even that value may represent an untrusted proxy rather than a person or device. Use the Address Chain Ledger as a starting point, then confirm edge configuration, provider ranges, and origin reachability before changing security policy.

Technical Details:

Forwarding headers travel inside the HTTP message, while the observed remote address comes from the network connection seen by the receiving server or checking service. That split is the central technical limit: transport evidence identifies the final hop, and header evidence contains claims written by one or more intermediaries. Secure interpretation needs both.

X-Forwarded-For conventionally lists the original client first and later proxies after it. The standardized Forwarded header uses parameter pairs such as for, by, host, and proto. Via discloses intermediary handling rather than the original client address. CDN and platform headers can add a cleaner client-IP hint or request ID, but the final hop must still be trusted.

Rule Core:

Recognized headers are grouped by evidence type. Address-chain evidence is the most useful for a trust walk; disclosure and edge-identity evidence are still useful because they show that a proxy, cache, provider, or platform handled the request.

Proxy signal groups and checked header examples
Evidence area	Header examples	What it can show
Client address chain	`Forwarded`, `X-Forwarded-For`, `Forwarded-For`	A hop list or forwarding parameter set that may expose client and proxy addresses.
Client address hints	`X-Real-IP`, `Client-IP`, `X-Client-IP`, `CF-Connecting-IP`, `True-Client-IP`, `Fastly-Client-IP`	A single-address claim, often added by a reverse proxy, load balancer, or CDN.
Proxy disclosure	`Via`, `Proxy-Connection`, `X-Cache`, `X-Served-By`, `Server-Timing`	Intermediary, cache, or proxy software evidence without necessarily exposing the original client.
Edge identity	`CF-Ray`, `X-Amz-Cf-Id`, `X-Vercel-Id`, `X-Nf-Request-Id`, `Fly-Request-Id`	Provider request IDs that help correlate the request with CDN or platform logs.
Scheme metadata	`X-Forwarded-Proto`, `X-Forwarded-Host`, `X-Forwarded-Port`, `X-Original-Host`	Original scheme, host, port, prefix, or route hints used by applications behind a proxy.

Trust Walk:

Address-chain interpretation starts with X-Forwarded-For when that chain exists. If it does not, Forwarded for values become the fallback. The observed remote address is appended when it is available and not already present, then Trusted edge hops marks the controlled positions at the right end.

Proxy address chain trust-walk roles
Role	Assignment rule	Interpretation limit
Left-most client claim	First address token in the selected forwarding chain.	Useful for debugging, but unsafe for security when any later hop is uncontrolled.
Intermediate hop	Any address token between the first claim and the trusted edge window.	May be a user proxy, corporate gateway, privacy relay, NAT path, or forged text.
First untrusted candidate	The address immediately before the trusted edge hops.	The safest client candidate for security use, but it may still be an untrusted proxy.
Trusted edge hop	A chain position covered by the configured trusted-hop count.	Valid only when that position belongs to infrastructure you operate or explicitly trust.
Observed edge	The remote address seen by the receiving server or checking service.	Strong final-hop evidence, but not enough to reveal the original client by itself.

Formula Core:

The score is an evidence-density percentage across five evidence areas. Each area accumulates weighted signal points, is capped at 100 percent, and then contributes one-fifth of the final score. A multi-hop address chain adds a small bonus to the client-address-chain area before the cap is applied.

E_{c} = \min (100, round (\frac{P_{c}}{C_{c}} \times 100))

score = round (\frac{\sum E_{c}}{5})

E is the capped percentage for one evidence area, P is the weighted evidence present in that area, and C is that area's cap. A repeated header can fill one area, but a score near 100 requires evidence across the recognized categories.

Proxy evidence category caps and high-value signals
Evidence area	Cap	High-value signals
Client address chain	`42`	`X-Forwarded-For` contributes `32`, `Forwarded` contributes `30`, and chain length can add up to `10`.
Client address hints	`34`	CDN client-IP headers contribute `24`; other client-IP hints contribute `18`.
Proxy disclosure	`30`	`Via` contributes `22`, and cache or proxy hints contribute `14`.
Edge identity	`24`	Provider request identifiers such as CDN or platform edge IDs contribute `16`.
Scheme metadata	`18`	Forwarded scheme, host, port, prefix, or original-host metadata contributes `10`.

Privacy and Accuracy Notes:

Pasted header analysis stays in the browser. Current-request mode is network-bound because the site has to observe the request reaching its checking service.

Sensitive header values such as authorization, cookie, proxy-authorization, and API key fields are redacted in the evidence ledger.
Current-request mode returns proxy-relevant request headers, the observed remote address, and the observation time; it does not prove what another origin or provider would see.
Private, local, documentation, public-looking, and obfuscated address labels help triage a chain but do not replace provider range validation.
A header score can rise because a request path is verbose, not because it is secure or privacy-preserving.

Worked Examples:

Transparent reverse proxy

Load Transparent sample with Trusted edge hops set to 1. The result should show a Transparent proxy signal, an address chain with a trusted final hop, and a first untrusted candidate immediately before that trusted edge. Use that candidate only after confirming the edge really rewrites inbound forwarding headers.

CDN client-IP review

Load CDN sample and select CDN or load balancer edge. Proxy Signal Ledger should include CDN client-IP and edge vendor evidence, while Exposure Playbook prioritizes provider range checks and direct-origin blocking. The client-IP header is useful only when those checks pass.

Malformed Forwarded header

Paste a Forwarded line with a segment that lacks =, then enable Strict Forwarded syntax. The summary changes to Forwarded chain needs trust review, and the signal ledger records a warning so the proxy output can be fixed or a cleaner sample can be collected.

FAQ:

Can I trust the first IP in X-Forwarded-For?

Not by default. The first value is a client claim unless every hop after it is controlled or verified. Use Trusted edge hops and the Address Chain Ledger to find the first untrusted candidate instead.

Why does a direct-looking request still need review?

No proxy header found only means the submitted sample lacks recognized proxy or CDN headers. NAT, opaque proxies, mobile carriers, and provider-side logs can still affect the observed remote address.

What happens to pasted secrets?

Pasted analysis runs locally, and recognized sensitive header names are redacted in result tables. You should still avoid pasting full cookies, bearer tokens, or production request dumps unless the values are already sanitized.

What should I do if current-request mode fails?

Use Paste headers with a server log or sample request, or retry current-request mode after the checking service is reachable. A failed live check leaves the pasted sample available for local analysis.

Glossary:

Forwarded: A standardized HTTP header that can carry for, by, host, and proto parameters for proxy paths.
X-Forwarded-For: A widely used non-standard header that lists client and proxy addresses, conventionally from original client to later proxies.
Observed remote address: The source address seen on the receiving network connection, usually the final hop before the application or checking service.
Trusted edge hop: A right-end chain position that belongs to infrastructure you control or explicitly trust.
First untrusted candidate: The address just before the trusted edge window, often the safest client candidate for logs or rate limits.
Via: An HTTP header that discloses intermediary handling rather than the original client address.

References:

RFC 7239: Forwarded HTTP Extension, IETF, June 2014.
X-Forwarded-For header, MDN Web Docs, July 4, 2025.
Via header, MDN Web Docs, July 4, 2025.
IP Spoofing via HTTP Headers, OWASP Foundation.
Cloudflare HTTP headers, Cloudflare, May 5, 2026.
How to configure Nginx as a reverse proxy, Simplified Guide.
How to view HTTP request headers with curl, Simplified Guide.