diff --git a/lib/httpserver/httpserver.go b/lib/httpserver/httpserver.go
index c4fdd37f15..7d8b2c926e 100644
--- a/lib/httpserver/httpserver.go
+++ b/lib/httpserver/httpserver.go
@@ -484,7 +484,11 @@ var (
 // Errorf writes formatted error message to w and to logger.
 func Errorf(w http.ResponseWriter, r *http.Request, format string, args ...interface{}) {
 	errStr := fmt.Sprintf(format, args...)
-	errStr = fmt.Sprintf("remoteAddr: %s; %s", r.RemoteAddr, errStr)
+	remoteAddr := strconv.Quote(r.RemoteAddr) // quote remoteAddr and X-Forwarded-For, since they may contain untrusted input
+	if addr := r.Header.Get("X-Forwarded-For"); addr != "" {
+		remoteAddr += ", X-Forwarded-For: " + strconv.Quote(addr)
+	}
+	errStr = fmt.Sprintf("remoteAddr: %s; %s", remoteAddr, errStr)
 	logger.WarnfSkipframes(1, "%s", errStr)
 
 	// Extract statusCode from args