Sometimes the added header will also be passed on through the local proxy to the website, thus possibly exposing some of your internal IP addresses and so allowing websites to disentangle your users. Such pass-through can be eliminated in Squid 3.1 and later by specifying forwarded_for delete in squid.conf.