How to detect a proxy using header info
The easiest thing to do is to simply check headers for presence of a specific header. In the example below, you can create an array of headers to look for, such as for example, X_FORWARDED_FOR, and then iterate through this array in a loop to identify if that entry exists. For example, if you are using PHP, you can use the below code snippet to do this.
We create a variable named $headers, and in it include a list of common headers used in proxies. Below that we run a foreach loop checking each entry in the array using the global $_SERVER variable to see if it exists. If it does, we return an error.
$headers = array(
'HTTP_VIA',
'HTTP_X_FORWARDED_FOR',
'HTTP_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_FORWARDED',
'HTTP_CLIENT_IP',
'HTTP_FORWARDED_FOR_IP',
'VIA',
'X_FORWARDED_FOR',
'FORWARDED_FOR',
'X_FORWARDED',
'FORWARDED',
'CLIENT_IP',
'FORWARDED_FOR_IP',
'HTTP_PROXY_CONNECTION'
);
foreach($headers as $header){
if (isset($_SERVER[$header])) die("You are attempting to access this site with a proxy.");
}
The problem with using headers to detect proxies
Unfortunately, the easiest methods of doing it yourself may not be entirely effective at producing the desired results. Many users of proxies are doing so specifically to avoid being detected, sometimes for good reasons, and sometimes not.
Often with proxy servers, this information is not necessarily required in headers; this approach will only be effective in catching the lowest grade of proxies. For many users who wish to use anonymous proxies, they may be able to slip by undetected by simply not including any of the above information in the HTTP headers.
API services: A better way to detect proxies
However, there is some good news that may help us out a little; we can use third-party proxy lists to detect whether users are on a list of known proxies. While this may not help in every case, it should help reduce at least some of the extraneous traffic.
The easiest approach is to use Abstract's interface to be able to get geolocation information about an IP address. It is extremely easy to use with jQuery. There are many parameters we can use to get the proxy information, as to whether a user's IP is coming through a proxy or VPN.
This is just one of several pieces of info you can get from an IP address. All you need is the following code. Note that in this case we are only grabbing the ip_address and the security keys from the JSON feed in this API. All you need to be able to run this is a unique API key which you can get for free by signing up.
$.getJSON("https://ipgeolocation.abstractapi.com/v1/?api_key=YOUR_UNIQUE_API_KEY", function(data) {
console.log(data.ip_address);
console.log(data.security);
})
There are a wide range of other parameters that can be found from this API, including city, country, longitude, latitude and more. If you need to get more information other than proxy or VPN information, you can get the full documentation for the IP Geolocation API here.
Frequently Asked Questions
What is proxy detection and why does it matter for developers?
Proxy detection is the process of identifying whether an incoming request is being routed through a proxy server rather than a direct connection. Developers use it to enforce geographic licensing restrictions, protect access-controlled content, and reduce fraud on registration-required services.
Can I detect a proxy by checking HTTP request headers?
Yes, headers like X-Forwarded-For, HTTP_VIA, and HTTP_CLIENT_IP often reveal a proxy when present. However, this only catches low-grade proxies; users running sophisticated anonymous proxies can simply omit those headers, bypassing detection entirely.
How do I check for a proxy in PHP?
In PHP, you can loop through an array of known proxy-related header names and check them against the $_SERVER superglobal. If any of those keys are set and non-empty, the request is likely coming through a proxy. Keep in mind this approach misses anonymous proxies that strip identifying headers.
Why use an IP geolocation API instead of header checks?
IP geolocation APIs cross-reference an IP against continuously updated databases of known proxy and VPN exit nodes, catching sophisticated proxies that header inspection misses. Abstract's IP Geolocation API, for example, returns security fields alongside location data so you can check proxy status in a single request.
How do I query Abstract's IP Geolocation API for proxy status using jQuery?
You can make an asynchronous JSON request to the Abstract IP Geolocation endpoint with your API key, then read the security object in the response to check whether the IP is flagged as a proxy or VPN. This keeps detection client-side optional and avoids a server round-trip in lightweight front-end setups.
What are the main limitations of proxy detection?
No single method is foolproof. Header-based checks miss anonymous proxies, while database-driven APIs can produce false positives for corporate NAT gateways, mobile carrier networks, and satellite providers that share IP ranges with known proxies. Combining header inspection with an API-based check gives the most reliable results.
