Skip to content

Proxy Headers

When a record is proxied (traffic flows through the nsin edge), nsin adds a set of HTTP headers before forwarding the request to your origin server, and a few more on the response sent back to the visitor. Your application, reverse proxy, WAF, or log pipeline can read these to recover the real visitor, their location, and a request id for troubleshooting.

All nsin headers use the Nsn-* prefix.

Headers added to the request (nsin → your origin)

Section titled “Headers added to the request (nsin → your origin)”
HeaderExampleMeaning
Nsn-Connecting-IP203.0.113.10The real visitor’s IP address. Use this to identify the client.
X-Forwarded-For203.0.113.10, 198.51.100.1Standard proxy chain; the visitor is the first entry.
X-Real-IP203.0.113.10The visitor IP (single value).
Forwardedfor="203.0.113.10";host="...";proto=httpsRFC 7239 structured form.

Prefer Nsn-Connecting-IP over X-Forwarded-For / X-Real-IP: it sits outside the X-Forwarded-* family, so it carries the real visitor even when another proxy in front of your origin rewrites that family to its own peer.

HeaderExampleMeaning
X-Forwarded-ProtohttpsProtocol the visitor used. Use it to enforce HTTPS / build absolute URLs.
X-Forwarded-Hostapp.example.comThe hostname the visitor requested.
X-Forwarded-Port443The port the visitor connected on.

The upstream Host header is set to the hostname the visitor requested (for a wildcard record this is the actual subdomain, e.g. api.example.com, not *), unless you configure a Host Header Override on the record.

HeaderExampleMeaning
Nsn-CountryNLTwo-letter ISO country code. XX when unknown.
Nsn-ContinentEUContinent code (AF, AS, EU, NA, OC, SA, AN). Omitted when unknown.

Geolocation is best-effort from an IP database; accuracy varies by network. nsin does not currently expose city, region, postal code, latitude/longitude, or timezone.

HeaderExampleMeaning
Nsn-Ray8e9c123456789abcUnique request id. Log it to correlate a request across systems.
Nsn-EdgeEDGESThe nsin PoP (edge) that handled the request.
CDN-LoopnsinLoop-prevention marker (RFC 8586). If a request re-enters the nsin edge already carrying nsin, it is rejected to prevent an infinite loop — so don’t point your origin back at nsin.

Headers added to the response (nsin → visitor)

Section titled “Headers added to the response (nsin → visitor)”
HeaderExampleMeaning
Nsn-Ray8e9c123456789abcSame request id as above, returned to the visitor for support/debugging.
Nsn-EdgeEDGESThe nsin PoP that served the request.
Nsn-Cache-StatusHITHow the cache handled the request.
ServerNSINIdentifies the nsin edge.

Nsn-Cache-Status values:

ValueMeaning
HITServed from the nsin cache; your origin was not contacted.
MISSNot in cache; fetched from your origin (and may now be cached).
BYPASSCache deliberately skipped (e.g. cookies, authorization, or a cache rule).
DYNAMICNot cacheable — served straight from origin.

Most frameworks and reverse proxies can be pointed at the connecting-IP header. For example, in nginx:

real_ip_header Nsn-Connecting-IP;
# set_real_ip_from <nsin edge IPs>; # only trust the header from nsin

See also Domain Modes for the difference between proxied and DNS-only records, and Security Headers for the optional response headers you can enable per domain.