All Products
Search

This Product

    Server Load Balancer:HTTP header fields

    Document Center

    Server Load Balancer:HTTP header fields

    Last Updated:Mar 04, 2026

    This topic describes the additional HTTP header fields that Application Load Balancer (ALB) supports and how to add them. You can customize these header fields to implement specific features.

    Additional HTTP header fields supported by ALB

    HTTP header fields are the header portion of request and response messages in the Hypertext Transfer Protocol (HTTP). You can customize HTTP header fields as needed, which may result in non-standard HTTP header fields on web servers and browsers. The following table describes the additional header fields that ALB supports.

    Field name

    Description

    Applicable listener protocol

    X-Forwarded-For

    Enable the X-Forwarded-For header field to obtain the client IP address.

    • Enable the X-Forwarded-For header field:

      Before ALB sends a request to a backend server, it adds or removes the X-Forwarded-For header field from the request.

      • Add (Default)

        By default, ALB saves the client IP address to the X-Forwarded-For header field and sends the header field to the backend server. If the original request does not contain an X-Forwarded-For header field, ALB creates an X-Forwarded-For header field with the client IP address as its value. Otherwise, ALB appends the client IP address to the existing X-Forwarded-For header field and then sends the header field to the backend server. The X-Forwarded-For request header field may contain multiple IP addresses separated by commas.

      • Remove

        Before ALB sends a request to a backend server, it removes the X-Forwarded-For header field from the request.

    • Disable the X-Forwarded-For header field:

      Before ALB sends a request to a backend server, it does not modify the X-Forwarded-For header field in the request.

    Field format:

    X-Forwarded-For: <client-ip-address>, <proxy1>, <proxy2>, …

    Click to view an example of the X-Forwarded-For header field received by the backend server when you select Add, Remove, or Disable.

    In this example, the IP address of the last hop is 127.0.0.1.

    Request description

    Request example

    Enable the X-Forwarded-For header field

    Disable the X-Forwarded-For header field

    Add

    Remove

    The request does not contain an X-Forwarded-For header field

    GET /index.html HTTP/1.1

    Host: example.com

    X-Forwarded-For: 127.0.0.1

    None

    None

    The request contains an X-Forwarded-For header field with one client IP address

    GET /index.html HTTP/1.1

    Host: example.com

    X-Forwarded-For: 127.0.0.2

    X-Forwarded-For: 127.0.0.2, 127.0.0.1

    None

    X-Forwarded-For: 127.0.0.2

    The request contains an X-Forwarded-For header field with multiple client IP addresses

    GET /index.html HTTP/1.1

    Host: example.com

    X-Forwarded-For: 127.0.0.2, 127.0.0.3

    X-Forwarded-For: 127.0.0.2, 127.0.0.3, 127.0.0.1

    None

    X-Forwarded-For: 127.0.0.2, 127.0.0.3

    For more information about how ALB obtains client originating IP addresses, see Obtain client originating IP addresses on backend servers through an ALB instance.

    SLB-ID

    Enable the SLB-ID header field to obtain the SLB instance ID.

    • HTTP

    • HTTPS

    • QUIC

    X-Forwarded-Proto

    Enable the X-Forwarded-Proto header field to obtain the protocol used for the connection between the client and the SLB listener. Your application can use the protocol stored in the X-Forwarded-Proto header field to redirect requests to the destination URL.

    Field format:

    X-Forwarded-Proto: <originatingProtocol>

    • HTTP

    • HTTPS

    • QUIC

    X-Forwarded-Port

    Enable the X-Forwarded-Port header field to obtain the port used for the connection between the client and the SLB listener.

    Field format:

    X-Forwarded-Port: <port>

    • HTTP

    • HTTPS

    • QUIC

    X-Forwarded-Host

    Enable the X-Forwarded-Host header field to obtain the domain name that the client uses to access the SLB instance.

    Field format:

    X-Forwarded-Host: <host>

    • HTTP

    • HTTPS

    • QUIC

    X-Forwarded-Client-srcport

    Enable the X-Forwarded-Client-srcport header field to obtain the port of the client that accesses the SLB instance.

    Field format:

    X-Forwarded-Client-srcport: <port>

    X-Forwarded-Clientcert-subjectdn

    Enable the X-Forwarded-Clientcert-subjectdn header field to obtain the owner information of the client certificate that is used to access the SLB instance.

    After you enable this header field, you must enter a custom HTTP header name.

    HTTPS

    X-Forwarded-Clientcert-issuerdn

    Enable the X-Forwarded-Clientcert-issuerdn header field to obtain the issuer information of the client certificate that is used to access the SLB instance.

    After you enable this header field, you must enter a custom HTTP header name.

    HTTPS

    X-Forwarded-Clientcert-fingerprint

    Enable the X-Forwarded-Clientcert-fingerprint header field to obtain the fingerprint of the client certificate that is used to access the SLB instance.

    After you enable this header field, you must enter a custom HTTP header name.

    HTTPS

    X-Forwarded-Clientcert-clientverify

    Enable the X-Forwarded-Clientcert-clientverify header field to obtain the validation result of the client certificate that is used to access the SLB instance.

    After you enable this header field, you must enter a custom HTTP header name.

    HTTPS

    Note

    • Configure your backend servers to be case-insensitive when they retrieve HTTP header fields. This complies with HTTP specifications.

      • The first letter of the X-Forwarded-For header field that ALB passes to backend servers is always uppercase.

      • For other additional HTTP header fields, if a client request contains a header field, ALB passes the header field to the backend server in the same format as in the client request. Otherwise, ALB passes the header field to the backend server in the format specified in the Field name column of the preceding table.

    • When you enable X-Forwarded-Clientcert-subjectdn, X-Forwarded-Clientcert-issuerdn, X-Forwarded-Clientcert-fingerprint, or X-Forwarded-Clientcert-clientverify, you cannot set the custom HTTP header name to any of the following values: slb-id, slb-ip, x-forwarded-for, x-forwarded-proto, x-forwarded-eip, x-forwarded-port, x-forwarded-client-srcport, x-forwarded-host, connection, upgrade, content-length, transfer-encoding, keep-alive, te, host, cookie, remoteip, or authority.

    • Descriptions of additional HTTP header fields related to client certificates

      The following additional HTTP header fields take effect only when mutual authentication is enabled for an HTTPS listener.

      X-Forwarded-Clientcert-subjectdn

      • Function: Forwards the subject information of the client certificate.

      • Content: The identity information of the certificate owner.

      • Example format: X-Forwarded-Clientcert-Subjectdn: CN=client.example.com,O=Example Corp,C=US

      • Included information:

        • CN (Common Name): The common name

        • O (Organization): The organization name

        • OU (Organizational Unit): The organizational unit

        • C (Country): The country code

        • ST (State): The state or province

        • L (Locality): The city

      X-Forwarded-Clientcert-issuerdn

      • Function: Forwards the issuer information of the client certificate.

      • Content: The information about the certificate authority (CA) that issued the certificate.

      • Example format: X-Forwarded-Clientcert-Issuerdn: CN=Example CA,O=Example Corp,C=US

      • Usage: Used to verify whether the certificate is issued by a trusted CA.

      X-Forwarded-Clientcert-fingerprint

      • Function: Forwards the digital fingerprint of the client certificate.

      • Content: The certificate fingerprint. This is a fixed-length hash value that is calculated by applying a hash algorithm, such as SHA-1 or SHA-256, to the entire digital certificate. It serves as a unique identifier for the certificate.

      • Example format: X-Forwarded-Clientcert-Fingerprint: SHA256=1234567890abcdef...

      • Usage: Uniquely identifies the certificate for validation and auditing.

      X-Forwarded-Clientcert-clientverify

      • Function: Forwards the validation result of the client certificate.

      • Content: The certificate validation status.

      • Possible values:

        • SUCCESS: The certificate is valid.

        • FAILED: The certificate failed the validation.

        • NONE: No client certificate was provided.

        • EXPIRED: The certificate is expired.

        • REVOKED: The certificate is revoked.

    Add HTTP header fields in the console

    Add an HTTP header field when you create a listener

    1. Log on to the ALB console.

    2. In the top navigation bar, select the region where the ALB instance is deployed.

    3. Use one of the following methods to open the listener configuration wizard.

      • On the Instances page, find the target instance and click Create Listener in the Actions column.

      • On the Instances page, click the ID of the target instance. Click the Listener tab and then click Create Listener.

    4. In the Configure Listener wizard, specify the following parameters and click Next.

      Listener Configuration

      Description

      Select Listener Protocol

      Select a protocol for the listener.

      Advanced Settings

      Click Modify to expand the advanced configuration options.

      Custom HTTP Header

      Select the custom HTTP header fields that you want to enable.

      Note

      This topic describes only the configurations related to header fields. For more information about other parameters, see the following topics:

    5. Follow the on-screen instructions to complete the subsequent steps to create the listener.

    Add an HTTP header field to an existing listener

    1. Log on to the ALB console.

    2. In the top navigation bar, select the region where the ALB instance is deployed.

    3. On the Instances page, click the ID of the target instance.

    4. Click the Listeners tab. In the Actions column of the target listener, choose 更多 > Modify Listener.

    5. In the Modify Listener dialog box, click Modify on the right side of Advanced Settings.

    6. In the Custom HTTP Header section, add, retain, or remove header fields, and then click Save.

    Add HTTP header fields using an API

    You can add header fields when you create a listener, or add, retain, or remove header fields for an existing listener.

    • Create a listener: Call the CreateListener API operation and configure the XForwardedForConfig parameter.

    • Modify an existing listener: Call the UpdateListenerAttribute API operation and update the XForwardedForConfig parameter.

    References

    Console operations

    API references

    • CreateListener: Add HTTP header fields by setting the XForwardedForConfig parameter when you create an HTTP, HTTPS, or QUIC listener.

    • UpdateListenerAttribute: Add, retain, or remove header fields by updating the XForwardedForConfig parameter when you update the configuration of a listener.