What's the variable HTTP_X_FORWARDED_HOST in the @env hash in middleware?

Question

In a Rack middleware filter, I know the call method takes an env hash variable. I'm looking through someone's Rack middleware code and I see

 env['HTTP_X_FORWARDED_HOST']

Can someone explain what HTTP_X_FORWARDED_HOST means? Is it the host where the request originated from?

Answer 1

I know this is a super-old question, but HTTP_X_FORWARDED_HOST is used when there is a proxy (or multiple proxies) between the browser and your server. If you have this setup:

End User -> Proxy A -> Proxy B -> Server

Then, when End User makes a request (with a Host header), Proxy A will receive it. It will set its own Host, then put the End User Host into X-Forwarded-Host before making the request to Proxy B. Proxy B will do the same, appending Proxy A's Host onto X-Forwarded-Host (so the header will look like EndUserHost,ProxyAHost) and setting its own Host. Your server will then receive a request with Proxy B's Host header, and an X-Forwarded-Host header that has a value that looks like "EndUserHost,ProxyAHost".

Some info: http://hustoknow.blogspot.com/2011/02/x-forwarded-for-vs-httpxforwardedhost.html

One thing to note: An end-user can spoof X-Forwarded-Host, so you have to be careful about the assumptions to make with it.