Prevent X-Forwarded-For spoofing using ELB and Node

I'm analyzing a stack of a public route that rests on an Elastic Load Balancer which opens a port exposed by PM2 that starts a node app using the koa module. At the moment, the IP is logged and that depends solely on the X-Forwarded-For header. If this header is manually created using curl, then the application will write that as the IP address.

Is there an easy way to prevent spoofing of this header or to setup AWS's ELB so it ignores manually inserted headers or is there a better way than the spoofable header to get the real IP address of the visitor?


  • According to the doc :

    If a request from a client already contains an X-Forwarded-For header, Elastic Load Balancing appends the IP address of the client at the end of the header value. In this case, the last IP address in the list is the IP address of the client.

    So the last IP is always the real IP.