1

In some special cases, there would exist http request headers which have duplicate values, such as XFF headers appended as following in header: x-forwarded-for: *.*.*.* x-forwarded-for: *.*.*.*

And by use of npm package express and request, could we parse the duplicate headers in following code? req.headers['x-forwarded-for']

Improve this question

1 Answer 1

Reset to default
1

The duplicate HTTP headers will be combined into an comma-separated list, so your example the 

'x-forwarded-for': '1.2.3.4'
'x-forwarded-for': '5.6.7.8'

will become

'x-forwarded-for': '1.2.3.4, 5.6.7.8'

This is done per HTTP RFC2616 available here:

Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded

Here you can find a related issue in node.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

yea, I have tried with curl command and it has combined the xff headers for me. But for some proxy servers, it may not perform this combination. If such case happened, how does Node handle this?
@zhongfugao not sure I understand what do you mean by "not perform this combination". Normally you shouldn't have multiple XFF headers in the first place, proxies should append their IP to the XFF header list, not set the new one.
i see your points! i will try with some proxy servers today to verify this. Thanks in advance!
@peter would there still exist some legacy http clients that still send http request but not follow rfc2616? this is my concern here.
@zhongfugao node.js will combine duplicate headers into comma-separate list no matter what. Although I could imagine that some proxies could stip out duplicates before the request get's to node server.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.