An HTTP header that records the chain of client IPs through proxies, the canonical way to recover the real client IP behind a load balancer.
X-Forwarded-For (XFF) is a non-standard but ubiquitous HTTP header that lists the original client IP address followed by the IPs of any proxies the request traversed: 'X-Forwarded-For: 1.2.3.4, 10.0.0.1, 10.0.0.2'. Backend services use it to recover the real client IP for logging, geo-IP lookup, and rate limiting; without it, every request would appear to come from the load balancer's IP. The modern standardized counterpart is RFC 7239's Forwarded header, but XFF remains far more widely deployed.
Trusting XFF blindly is a common security mistake: any client can send any X-Forwarded-For header. The right pattern is to trust XFF only when the request arrives from a known proxy (your load balancer's IP range), and to take the leftmost untrusted entry as the real client IP. Misconfiguring this enables IP spoofing for rate limits, audit logs, and geo-blocking, an entire category of avoidable security incidents.
See the part of the platform that handles x-forwarded-for in production.