Web requests originate with a client (web browser or application consuming an API) and flow through the WAF to your Heroku application. 

For most HTTP Request Headers there are no changes as headers are transparently passed through the WAF to your Heroku application. 

An exception is the HTTP_X_FORWARDED_FOR header which will contain both the IP address of the client making the request and the WAF Edge Network node that accepted the request before passing it back to your Heroku App.

An Example

Pre WAF a Heroku app inspecting the HTTP_X_FORWARDED_FOR header would find it had a value of

Post WAF configuration the HTTP_X_FORWARDED_FOR header would have a value of,

Note: the leftmost IP is the originating client (web browser/client machine) and the second value is the WAF IP.


Commonly, the need to read the HTTP_X_FORWARDED_FOR header is related to some custom functionality in your application where you are attempting to find the "real" IP address of the client making a request.

Dealing with multiple IPs in the header value may be awkward in your code, as an alternative you can query the HTTP_X_REAL_IP or HTTP_X_SUCURI_CLIENTIP headers which will be available Post WAF configuration.


If you're having issues getting the above to work and/or observing different behavior please contact and we'll be happy to assist.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.