fix(proxy): configure trust proxy via TRUST_PROXY env var

Without trust proxy, the rate limiter uses the reverse proxy IP instead
of the real client IP, making all requests appear to come from one IP.
Set TRUST_PROXY=1 in production when behind a single nginx/Apache hop.
This commit is contained in:
2026-04-26 21:58:36 +02:00
parent c2e65adbc6
commit f1f913f63f
2 changed files with 7 additions and 0 deletions
+4
View File
@@ -34,3 +34,7 @@ COUCHDB_CREDENTIAL="base64-encoded-credentials"
SKYDIVERID_API_URL="https://api.example.com"
SKYDIVERID_API_TOKEN="your-api-token"
AUTHORIZATION_PREFIX="Api-Key"
# Reverse proxy hops in front of the API (e.g. 1 for nginx). Omit in dev.
# Required for rate limiting to use the real client IP behind a proxy.
# TRUST_PROXY=1
+3
View File
@@ -10,6 +10,9 @@ const config = require('./config'),
function createApp() {
const app = express();
if (process.env.TRUST_PROXY) {
app.set('trust proxy', parseInt(process.env.TRUST_PROXY, 10) || process.env.TRUST_PROXY);
}
app.use(helmet({ contentSecurityPolicy: false }));
const allowedOrigins = process.env.ALLOWED_ORIGINS
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())