The originating server of a client request.

Fastly reads this header from requests and writes it into requests. It is defined by an external standard.

For VCL services, Fastly will add or append X-Forwarded-Server headers on incoming requests over TLS, as follows:

  • Fastly's edge cache – if the request protocol is TLS.
  • Fastly's shield cache – if the origin has a TLS configuration and shielding is enabled.
  • Even if client connection is TLS, unless the origin connection is over TLS, nothing will be added or appended at the shield.


ShieldingRequest ProtocolOrigin ProtocolClient HeaderX-Forwarded-ServerNote
NoTLSTLSNocache-nrt6128-NRTAdded at edge
NoNon TLSTLSNonull
NoTLSTLSYesServer1, cache-nrt6146-NRTAppended
NoNon TLSTLSYesServer1Pass-through
NoTLSNon TLSNocache-nrt6128-NRTAdded at edge
NoNon TLSNon TLSNonull
NoTLSNon TLSYesServer1, cache-nrt6146-NRTAppended
NoNon TLSNon TLSYesServer1Pass-through
YesTLSTLSNocache-hnd18734-HND, cache-hkg17928-HKGAdded at edge and shield
YesNon TLSTLSNocache-hkg17933-HKGAdded at shield
YesTLSTLSYesServer1, cache-nrt6122-NRT, cache-hkg17925-HKGAdded at edge and shield
YesNon TLSTLSYesServer1, cache-hkg17926-HKGAdded at shield
YesTLSNon TLSNocache-hnd18723-HNDAdded at edge
YesNon TLSNon TLSNonull
YesTLSNon TLSYesServer1, cache-hnd18746-HNDAdded at edge
YesNon TLSNon TLSYesServer1Pass-through

Overriding multiple entries

To set a single value for this header, add the following to vcl_miss and vcl_pass:

set bereq.http.X-Forwarded-Server = server.hostname;