The originating host of a client request.

Fastly reads this header from requests and writes it into requests. It is defined by an external standard.

For VCL services, Fastly will add or append X-Forwarded-Host headers on incoming requests over TLS, as follows:

  • The client Host header – if the request protocol is TLS.
  • The Host header from the edge – if the origin has a TLS configuration and shielding is enabled.
  • Even if client connection is TLS, unless the origin connection is over TLS, nothing will be added or appended at the shield.


ShieldingRequest ProtocolOrigin ProtocolClient HeaderX-Forwarded-HostNote
NoTLSTLSNoexample.global.ssl.fastly.netAdded at edge
NoTLSTLSYesHost1, example.global.ssl.fastly.netAppended
NoNo TLSTLSYesHost1Pass-through
NoTLSNo TLSNoexample.global.ssl.fastly.netAdded at edge
NoNo TLSNo TLSNonull
NoTLSNo TLSYesHost1, example.global.ssl.fastly.netAppended
NoNo TLSNo TLSYesHost1Pass-through
YesTLSTLSNoexample.global.ssl.fastly.net, example.global.ssl.fastly.netAdded at edge and shield
YesNo TLSTLSNoexample.global.ssl.fastly.netAdded at shield
YesTLSTLSYesHost1, example.global.ssl.fastly.net, example.global.ssl.fastly.netAdded at edge and shield
YesNo TLSTLSYesHost1, example.global.ssl.fastly.netAdded at shield
YesTLSNo TLSNoexample.global.ssl.fastly.netAdded at edge
YesNo TLSNo TLSNonull
YesTLSNo TLSYesHost1, example.global.ssl.fastly.netAdded at edge
YesNo TLSNo TLSYesHost1Pass-through

Overriding multiple entries

To set a single value for this header, add the following to vcl_miss and vcl_pass:

set bereq.http.X-Forwarded-Host = req.http.host;