This article discusses how to secure the X-Forwarded-For HTTP request header in AA (Advanced Authentication).

Normally this header is not sent from the browser client. Instead the browser client's request is intercepted at the enterprise boundary by a deep packet inspection (DPI) firewall that terminates TLS, observes the request, injects the "X-Forwarded-For" request header, and then proxies the request toward other internal enterprise systems for handling.

If the firewall receives an X-Forwarded-For request header from the browser client, then it should either be interpreted as malicious (and an error returned like HTTP 400 Bad Request) or the header can just be ignored and completely replaced with the one injected by the firewall normally.