From f1f913f63f75dbe8aca9a19fcf8edbf49c9a7a54 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Sun, 26 Apr 2026 21:58:36 +0200 Subject: [PATCH] fix(proxy): configure trust proxy via TRUST_PROXY env var Without trust proxy, the rate limiter uses the reverse proxy IP instead of the real client IP, making all requests appear to come from one IP. Set TRUST_PROXY=1 in production when behind a single nginx/Apache hop. --- config/env/.env.example | 4 ++++ src/createApp.js | 3 +++ 2 files changed, 7 insertions(+) diff --git a/config/env/.env.example b/config/env/.env.example index 90d94c8..9aa6428 100644 --- a/config/env/.env.example +++ b/config/env/.env.example @@ -34,3 +34,7 @@ COUCHDB_CREDENTIAL="base64-encoded-credentials" SKYDIVERID_API_URL="https://api.example.com" SKYDIVERID_API_TOKEN="your-api-token" AUTHORIZATION_PREFIX="Api-Key" + +# Reverse proxy hops in front of the API (e.g. 1 for nginx). Omit in dev. +# Required for rate limiting to use the real client IP behind a proxy. +# TRUST_PROXY=1 diff --git a/src/createApp.js b/src/createApp.js index 22c320c..8a553c5 100644 --- a/src/createApp.js +++ b/src/createApp.js @@ -10,6 +10,9 @@ const config = require('./config'), function createApp() { const app = express(); + if (process.env.TRUST_PROXY) { + app.set('trust proxy', parseInt(process.env.TRUST_PROXY, 10) || process.env.TRUST_PROXY); + } app.use(helmet({ contentSecurityPolicy: false })); const allowedOrigins = process.env.ALLOWED_ORIGINS ? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())