The XFF HTTP field can be used to obtain the remote IP when a http server is located behind a reverse proxy. If the remote proxy does not clean the XFF field you can’t trust it. The worst is that this field can be used for injecting code in your website.
I’ve been a such issue in a security plugging logging and not filtering the remote IP field. As this one came from XFF, it was possible to inject javascript into the database remotely and execute that JS when displaying the dashboard of the “security” pluggin.
One of the option to solve this is to clean the XFF field (or reject the request when the XFF is not clean). This can be done with a simple configuration in the http config file (or htaccess)
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-For} !^$
RewriteCond %{HTTP:X-Forwarded-For} !^[0123456789.\ ,]{7,36}$
RewriteRule ^ - [L,R=404]
Here, empty XFF and XFF container anything else than numbers and some other char, lower than 7 char and higher the 36 chars will be rejected with a 404 as Last operation.