How to Tell If Your Traffic Is Being Routed

Somewhere between your laptop and whatever website you’re loading, there’s probably a proxy server you didn’t ask for. Not in a tinfoil-hat sense. Corporate networks insert them by default, hotel Wi-Fi almost always runs one, and a growing number of ISPs have started doing it without mentioning it to customers.

The weird part isn’t that it happens. Checking takes about 30 seconds and almost nobody bothers.

The Header Thing

HTTP headers are where proxies trip up. When a transparent proxy forwards your request, it usually tacks on extra fields that weren’t there before, and most proxy software doesn’t even try to hide them.

The big one is X-Forwarded-For. Squid, the caching proxy that half the internet ran on in the 2000s, popularized this header and basically every proxy since has copied the convention. It sticks your real IP address right into the forwarded request so the destination server on the other end can tell who actually sent it.

Other common giveaways include Via (which identifies the proxy software and its version number), Forwarded (the newer IETF replacement that nobody really uses yet), and vendor-specific stuff like X-Proxy-ID. You can check am i behind proxy with IPRoyal to scan for all of these at once, which beats squinting at Chrome DevTools for twenty minutes.

Wikipedia’s full list of HTTP header fields catalogues every non-standard header out there, and the proxy-related ones are scattered all over the page. Worth bookmarking if you do this regularly.

The catch: high-anonymity proxies scrub all identifying headers before forwarding anything. Clean results rule out careless proxies, not careful ones. So treat a clean header scan as good news, not proof.

DNS, Latency, the Stuff Headers Won’t Show You

So the headers came back clean. Doesn’t mean you’re in the clear.

DNS leak tests tell a different story. Pull up dnsleaktest.com and check which resolver IPs show up, then compare them against your ISP or whatever custom DNS you’ve configured (Cloudflare’s 1.1.1.1, Google’s 8.8.8.8). If they don’t match, something is intercepting and redirecting your queries before they leave the network.

Corporate IT departments do this as standard practice. Most people on those networks have never once thought to look.

Latency is another angle worth trying. If 20ms to a server suddenly becomes 140ms with nothing changed on your end, those extra milliseconds represent extra network hops, meaning extra hardware somewhere in the path that wasn’t there before.

traceroute on Linux/Mac (or tracert on Windows) maps the complete path your packets take. New hops that weren’t there last week point straight at new intermediaries sitting in your connection.

That RFC Nobody Adopted

Quick detour on the standards side. The IETF published RFC 7239 in 2014 to replace X-Forwarded-For with a proper Forwarded header that combines client IP, protocol, and host info into one structured field.

Almost nobody adopted it. Mozilla’s developer docs still list X-Forwarded-For as the de facto standard, even though no standards body ever formalized it. So proxy detection now means checking for both formats, which is annoying but unavoidable.

One other thing that trips people up: reverse proxies (Cloudflare, Akamai, CloudFront) sit server-side, not client-side. They don’t appear in outbound header scans at all, and confusing them with forward proxies is a common mistake.

You Might Already Have Clues

CAPTCHA walls on sites you hit every single day are a dead giveaway. Your IP probably got flagged against a datacenter or proxy blocklist, the kind that companies like MaxMind and IPQualityScore sell to basically every major website out there.

The geographic thing is obvious when it happens. Netflix serving a German library to someone sitting in Arizona means traffic is exiting from a German IP address, full stop. Any quick IP lookup tool will confirm where the world thinks you are right now.

WebRTC leaks are sneakier. Your browser can give up your real IP through STUN requests even behind a proxy, and fingerprinting tools catch the gap between that leaked address and your proxy-assigned location. Timezone and language mismatches between your browser settings and your apparent IP country get flagged the same way.

So Who Should Actually Check?

Anyone who ever connects to something other than their home network, basically. Hotel Wi-Fi, airport lounges, office VPNs: all of them route traffic through intermediaries that don’t announce themselves. You’d never know unless you looked.

Takes 30 seconds. The result tells you a lot about what you should and shouldn’t be doing on that connection.