Proxy Headers
When a record is proxied (traffic flows through the nsin edge), nsin adds a set of HTTP headers before forwarding the request to your origin server, and a few more on the response sent back to the visitor. Your application, reverse proxy, WAF, or log pipeline can read these to recover the real visitor, their location, and a request id for troubleshooting.
All nsin headers use the Nsn-* prefix.
Headers added to the request (nsin → your origin)
Section titled “Headers added to the request (nsin → your origin)”Visitor IP
Section titled “Visitor IP”| Header | Example | Meaning |
|---|---|---|
Nsn-Connecting-IP | 203.0.113.10 | The real visitor’s IP address. Use this to identify the client. |
X-Forwarded-For | 203.0.113.10, 198.51.100.1 | Standard proxy chain; the visitor is the first entry. |
X-Real-IP | 203.0.113.10 | The visitor IP (single value). |
Forwarded | for="203.0.113.10";host="...";proto=https | RFC 7239 structured form. |
Prefer Nsn-Connecting-IP over X-Forwarded-For / X-Real-IP: it sits outside
the X-Forwarded-* family, so it carries the real visitor even when another
proxy in front of your origin rewrites that family to its own peer.
Protocol & host
Section titled “Protocol & host”| Header | Example | Meaning |
|---|---|---|
X-Forwarded-Proto | https | Protocol the visitor used. Use it to enforce HTTPS / build absolute URLs. |
X-Forwarded-Host | app.example.com | The hostname the visitor requested. |
X-Forwarded-Port | 443 | The port the visitor connected on. |
The upstream Host header is set to the hostname the visitor requested (for a
wildcard record this is the actual subdomain, e.g. api.example.com, not *),
unless you configure a Host Header Override on the record.
Geolocation
Section titled “Geolocation”| Header | Example | Meaning |
|---|---|---|
Nsn-Country | NL | Two-letter ISO country code. XX when unknown. |
Nsn-Continent | EU | Continent code (AF, AS, EU, NA, OC, SA, AN). Omitted when unknown. |
Geolocation is best-effort from an IP database; accuracy varies by network. nsin does not currently expose city, region, postal code, latitude/longitude, or timezone.
Request tracing & loop protection
Section titled “Request tracing & loop protection”| Header | Example | Meaning |
|---|---|---|
Nsn-Ray | 8e9c123456789abc | Unique request id. Log it to correlate a request across systems. |
Nsn-Edge | EDGES | The nsin PoP (edge) that handled the request. |
CDN-Loop | nsin | Loop-prevention marker (RFC 8586). If a request re-enters the nsin edge already carrying nsin, it is rejected to prevent an infinite loop — so don’t point your origin back at nsin. |
Headers added to the response (nsin → visitor)
Section titled “Headers added to the response (nsin → visitor)”| Header | Example | Meaning |
|---|---|---|
Nsn-Ray | 8e9c123456789abc | Same request id as above, returned to the visitor for support/debugging. |
Nsn-Edge | EDGES | The nsin PoP that served the request. |
Nsn-Cache-Status | HIT | How the cache handled the request. |
Server | NSIN | Identifies the nsin edge. |
Nsn-Cache-Status values:
| Value | Meaning |
|---|---|
HIT | Served from the nsin cache; your origin was not contacted. |
MISS | Not in cache; fetched from your origin (and may now be cached). |
BYPASS | Cache deliberately skipped (e.g. cookies, authorization, or a cache rule). |
DYNAMIC | Not cacheable — served straight from origin. |
Reading the real visitor IP
Section titled “Reading the real visitor IP”Most frameworks and reverse proxies can be pointed at the connecting-IP header. For example, in nginx:
real_ip_header Nsn-Connecting-IP;# set_real_ip_from <nsin edge IPs>; # only trust the header from nsinSee also Domain Modes for the difference between proxied and DNS-only records, and Security Headers for the optional response headers you can enable per domain.