HTTP_X_FORWARDED_FOR Header Handling
Web requests originate with a client (web browser or application consuming an API) and flow through the WAF to your Heroku application.
For most HTTP Request Headers there are no changes as headers are transparently passed through the WAF to your Heroku application.
An exception is the HTTP_X_FORWARDED_FOR header which will contain both the IP address of the client making the request and the WAF Edge Network node that accepted the request before passing it back to your Heroku App.
Pre WAF a Heroku app inspecting the HTTP_X_FORWARDED_FOR header would find it had a value of 184.108.40.206.
Post WAF configuration the HTTP_X_FORWARDED_FOR header would have a value of 220.127.116.11, 18.104.22.168.
Note: the leftmost IP is the originating client (web browser/client machine) and the second value is the WAF IP.
Commonly, the need to read the HTTP_X_FORWARDED_FOR header is related to some custom functionality in your application where you are attempting to find the "real" IP address of the client making a request.
Dealing with multiple IPs in the header value may be awkward in your code, as an alternative you can query the HTTP_X_REAL_IP or HTTP_X_SUCURI_CLIENTIP headers which will be available Post WAF configuration.
If you're having issues getting the above to work and/or observing different behavior please contact firstname.lastname@example.org and we'll be happy to assist.