Skip to main content

Prevent IP Address Spoofing with X Forwarded-For-Header and AWS ELB in Clojure Ring

·122 words·1 min
Amazon Web Services Clojure Ring
Dennis Schneider


Sometimes you need to get the IP address of the client that originally sent the request to your server. If you are on AWS infrastructure and you are using an Elastic Load Balancer, the usual way to get the IP address is to look at the header called X-Forwarded-For . See this link for reference.

Now in theory the client can manually set that header to any IP address and therefore spoof it. However, AWS will always append the original client IP address to the right of that header. That means, as long as you access the last entry of that string, it will be impossible for the client to spoof the IP address:

(-> (:headers request)
    (get "x-forwarded-for")
    (clojure.string/split #",")