This is safe only if you are using Cloudflare, and in addition, are only exposing your connection to Cloudflare.
In general, you must recur any connection, from anywhere except for the Ips mentioned in https://www.cloudflare.com/pt-br/ips/.
If you are using NGINX, you can use something like the code below for such a purpose of restricting external access to CF:
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
allow 104.16.0.0/13;
allow 104.24.0.0/14;
deny all;
Can this variable be changed by the user so that he can make some attack? for example xss.
– Gabriel
It can only be changed if the connection is made externally to Cloudflare. You may be running it yourself
curl -H "Host: seusite.com" -H "HTTP_CF_CONNECTING_IP: QualquerCoisa" https://seusite.com
and do the same using direct IP (instead of website, via CF). By using Cloudflare, it will be responsible for overriding the header value and the visitor will not be able to change arbitrarily. But, as I mentioned in the reply, if you allow external connections (in this case you can use direct IP) the visitor can change the header value arbitrarily.– Inkeliz