Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Support CenterIssue DefinitionsX-Forwarded-For dependent response

X-Forwarded-For dependent response


Application responses may depend systematically on the presence or absence of an X-Forwarded-For header in requests. This behavior does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Some applications enforce access controls based on the remote IP address of the connecting client. For example, an application might expose administrative functionality only to clients connecting from the local IP address of the server. In some configurations, the presence of an X-Forwarded-For header misleads the application about the client's IP address, allowing an attacker to masquerade as a trusted user. You should review the purpose of the relevant functionality to determine whether this might be the case.


The X-Forwarded-For header is not a robust foundation on which to build any security measures, such as access controls. Any such measures should be replaced with more secure alternatives that are not vulnerable to spoofing.

If the platform application server returns incorrect information about the client's IP address due to the presence of an X-Forwarded-For header, then the server may need to be reconfigured, or an alternative method of identifying clients should be used.

Vulnerability classifications

Typical severity


Type index