search cancel

Purpose of "XFFEnabled" in


Article ID: 199842


Updated On:


CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Strong Authentication CA Risk Authentication CA Advanced Authentication


We found the parameter "XFFEnabled" in file, but we have no idea of its usage
It's not documented in techdocs and there is nothing that looks related in AFM Wizard

Can you please tell us the purpose of this parameter and how to use it?


Release : 9.1

Component : AuthMinder(Arcot WebFort)

RiskFort(Risk Authentication)


As per current implementation, AFM picks the value of client IP from X-Forwarded-For Header value without proper validation.


Configuration of 'X-FORWARDED-FOR' functionality in AFM is made optional. This functionality is disabled by default.

To support configuration of this functionality, a new AFM properties parameter has been introduced as 'XFFEnabled'.

To enable it, set it as 'XFFEnabled=true' in file.

More logging has been added to highlight what values of remote client's IP and X-FORWARDED-FOR header come as part of request to AFM.

Also, logging highlights the final ClientIP picked for request processing. IP validation for client's IP passed as part of X-FORWARDED-FOR header has also been added.