This page describes some best practices for working with Advanced API Security.
Configure client IP resolution
If the
default client IP resolution algorithm
does not work for your use case, it can be customized per environment. See
client IP resolution.
Configuring this setting allows
Advanced API Security to find and use the appropriate client IP address for each API request, and ensures
consistent client IP address resolution across your environment.
The X-Forwarded-For (XFF) request header is a standard header for identifying the originating
IP addresses of clients connecting to a web server through a proxy server. Many platforms
provide the ability to strip off XFF headers from incoming requests for security
purposes. However,
this is not recommended if you are using Advanced API Security, because the machine learning
algorithms it uses need the IP address information to identify abuse traffic, and to
calculate security scores.
How to determine if your platform is stripping off XFF headers
To determine if your platform is stripping off XFF headers, make an
API call like the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eThis guide covers best practices for utilizing Advanced API Security in both Apigee and Apigee hybrid environments.\u003c/p\u003e\n"],["\u003cp\u003eCustomizing client IP resolution is available per environment, allowing Advanced API Security to accurately identify and utilize the client IP address for each API request.\u003c/p\u003e\n"],["\u003cp\u003ePreserving X-Forwarded-For (XFF) headers is crucial for Advanced API Security, as the IP address data is needed to identify abuse traffic and calculate security scores.\u003c/p\u003e\n"],["\u003cp\u003eStripped XFF headers can be identified by making an API call, which will return "(not set)" if the headers are being removed.\u003c/p\u003e\n"]]],[],null,["# Advanced API Security best practices\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nThis page describes some best practices for working with Advanced API Security.\n\nConfigure client IP resolution\n------------------------------\n\nIf the\n[default client IP resolution algorithm](/apigee/docs/api-platform/system-administration/client-ip-resolution#default-client-ip-address-resolution)\ndoes not work for your use case, it can be customized per environment. See\n[client IP resolution](/apigee/docs/api-platform/system-administration/client-ip-resolution).\nConfiguring this setting allows\nAdvanced API Security to find and use the appropriate client IP address for each API request, and ensures\nconsistent client IP address resolution across your environment.\n\nIn order to use client IP resolution, you'll also need to\n[Preserve X-Forwarded-For request headers](#preserve-x-forwarded-for-request-headers).\n\nPreserve X-Forwarded-For request headers\n----------------------------------------\n\nThe X-Forwarded-For (XFF) request header is a standard header for identifying the originating\nIP addresses of clients connecting to a web server through a proxy server. Many platforms\nprovide the ability to strip off XFF headers from incoming requests for security\npurposes. However,\nthis is not recommended if you are using Advanced API Security, because the machine learning\nalgorithms it uses need the IP address information to identify abuse traffic, and to\ncalculate security scores.\n\n### How to determine if your platform is stripping off XFF headers\n\nTo determine if your platform is stripping off XFF headers, make an\nAPI call like the following: \n\n```\ncurl https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/stats/x_forwarded_for_ip?select=avg\\(total_response_time\\)&timeRange=9/24/2018%2000:00~10/25/2018%2000:00&timeUnit=day \\\n -H \"Authorization: Bearer $TOKEN\"\n```\n\nwhere \u003cvar translate=\"no\"\u003eORG\u003c/var\u003e is your organization and \u003cvar translate=\"no\"\u003eENV\u003c/var\u003e is an environment in the\norganization.\n\nIf your platform is stripping off XFF headers, this returns a response in which the first line will be \n\n```\n \"name\": \"(not set)\",\n```\n\nThe `(not set)` in the response means your platform is\nstripping off XFF headers."]]
