[tylergetsay]

Depends, some load balancers may think they are behind another load balancer, and forward the header. This is default behavior iirc.

[shreyansh_k]

A well behaving reverse proxy or load balancer would not cause security issues. The header contains both 'for' and 'by' parameters. If they are properly filled by the proxies, then it's not a security issue.

source: author of django-forwarded middleware, finds client IP from XFF header.