RFC 7239 Quiz | ToppyMicroServices

Q1: In one sentence, the Forwarded header is used to

Multiple Choice

A. Convey original client and proxy related information across intermediaries B. Replace TLS for HTTP encryption C. Guarantee that an IP address is authentic without any trust boundary

**Explanation:** **Terms:** proxy, intermediary, metadata **Correct (A):** Forwarded carries information like client identity and protocol as observed by proxies **Options:** - A (correct): This is the intended function - B (incorrect): Encryption is not its role - C (incorrect): It is only as trustworthy as your proxy trust boundary **Related:** Always define which proxies are trusted to add or overwrite these headers

Q2: Which are common Forwarded parameters (select all)

Multi-Select

A. for B. by C. proto D. host

**Explanation:** **Terms:** parameter, token, quoted string **Correct (A,B,C,D):** These are the commonly used standardized parameters **Related:** Values can be quoted, and may include obfuscated identifiers

Q3: How are multiple proxies represented in Forwarded

Multiple Choice

A. Use one header per hop and forbid commas B. Use a comma separated list of forwarded elements C. Embed JSON in the header value

**Explanation:** **Terms:** list syntax, forwarded element **Correct (B):** Each element corresponds to one proxy hop, and elements are separated by commas **Options:** - A (incorrect): Commas are part of the list syntax - B (correct): Standard HTTP list pattern - C (incorrect): Not the specified format **Related:** Parsing must handle quoting and whitespace

Q4: A key operational risk with Forwarded is

Multiple Choice

A. It forces HTTP/2 downgrade B. It disables HSTS automatically C. Spoofing if you trust it from untrusted sources

**Explanation:** **Terms:** trust boundary, spoofing **Correct (C):** Attackers can add or modify forwarding headers unless you strip and re add them at a trusted edge **Options:** - A (incorrect): Unrelated - B (incorrect): Unrelated - C (correct): This is the main practical pitfall **Related:** Similar trust concerns exist for X-Forwarded-For

Q5: Which parameter name typically identifies the client that initiated the request (one token)

Short Text

**Explanation:** **Terms:** for parameter **Correct:** for **Related:** Values can be IP literals or obfuscated identifiers depending on policy

Q6: Why might a deployment choose obfuscated values like unknown for the for parameter

Multiple Choice

A. To reduce user identification and exposure of internal addressing B. To make compression more efficient C. To bypass authentication

**Explanation:** **Terms:** privacy, data minimization **Correct (A):** The header can leak user identifiers or internal topology, so deployments may intentionally reduce precision **Options:** - A (correct): Privacy and topology hiding - B (incorrect): Not the reason - C (incorrect): Not a security feature **Related:** Logging and analytics pipelines also need an explicit policy for these values

References (URLs)