How to detect if an IP address is using a proxy

Last Updated Dec 28, 2020
Emma Jagger

Engineer, maker, Google alumna, CMU grad

Occasionally you need to be able to detect whether a user is using a proxy server through your website.  For various reasons, you may want to restrict access, such as different licensing zones for different regions, protecting individual identity and privacy of users on a site which requires registration, or for any other reason. 

At a basic level, identifying whether a user is using a proxy is not terribly difficult.  You can check the headers of the HTTP request to see if there is an x-forwarded-for entry, or something similar.   

How to detect a proxy using header info

The easiest thing to do is to simply check headers for presence of a specific header. In the example below, you can create an array of headers to look for, such as for example, X_FORWARDED_FOR, and then iterate through this array in a loop to identify if that entry exists.   For example, if you are using PHP, you can use the below code snippet to do this.

We create a variable named $headers, and in it include a list of common headers used in proxies.  Below that we run a foreach loop checking each entry in the array using the global $_SERVER variable to see if it exists.  If it does, we return an error. 



$headers  = array(
        'HTTP_VIA',
        'HTTP_X_FORWARDED_FOR',
        'HTTP_FORWARDED_FOR',
        'HTTP_X_FORWARDED',
        'HTTP_FORWARDED',
        'HTTP_CLIENT_IP',
        'HTTP_FORWARDED_FOR_IP',
        'VIA',
        'X_FORWARDED_FOR',
        'FORWARDED_FOR',
        'X_FORWARDED',
        'FORWARDED',
        'CLIENT_IP',
        'FORWARDED_FOR_IP',
        'HTTP_PROXY_CONNECTION'
    );
    foreach($headers as $header){
        if (isset($_SERVER[$header])) die("You are attempting to access this site with a proxy.");
    }


The problem with using headers to detect proxies

Unfortunately, the easiest methods of doing it yourself may not be entirely effective at producing the desired results.  Many users of proxies are doing so specifically to avoid being detected, sometimes for good reasons, and sometimes not.    

Often with proxy servers, this information is not necessarily required in headers; this approach will only be effective in catching the lowest grade of proxies.  For many users who wish to use anonymous proxies, they may be able to slip by undetected by simply not including any of the above information in the HTTP headers.

API services: A better way to detect proxies

However, there is some good news that may help us out a little; we can use third-party proxy lists to detect whether users are on a list of known proxies.  While this may not help in every case, it should help reduce at least some of the extraneous traffic.   

The easiest approach is to use Abstract's interface to be able get geolocation information information about an IP address.   It is extremely easy to use with jQuery.    There are many parameters we can use to get the proxy information, as to whether a user's IP is coming through a proxy or VPN.

This is just one of several pieces of info you can get from an IP address. All you need is the following code.  Note that in this case we are only grabbing the ip_address and the security keys from the JSON feed in this API. All you need to be able to run this is a unique API key which you can get for free by signing up



$.getJSON("https://ipgeolocation.abstractapi.com/v1/?api_key=YOUR_UNIQUE_API_KEY", function(data) { 
       console.log(data.ip_address);
       console.log(data.security);
   })


There are a wide range of other parameters that can be found from this API, including city, country, longitude, latitude and more.  If you need to get more information other than proxy or VPN information, you can get the full documentation for the IP Geolocation API here.

Related articles

No items found.
Abstract's IP Geolocation API comes with Javascript libraries, code snippets, guides, and more.
Get started