fix(proxy): configure trust proxy via TRUST_PROXY env var

Without trust proxy, the rate limiter uses the reverse proxy IP instead
of the real client IP, making all requests appear to come from one IP.
Set TRUST_PROXY=1 in production when behind a single nginx/Apache hop.
This commit is contained in:
2026-04-26 21:58:36 +02:00
parent c2e65adbc6
commit f1f913f63f
2 changed files with 7 additions and 0 deletions
+3
View File
@@ -10,6 +10,9 @@ const config = require('./config'),
function createApp() {
const app = express();
if (process.env.TRUST_PROXY) {
app.set('trust proxy', parseInt(process.env.TRUST_PROXY, 10) || process.env.TRUST_PROXY);
}
app.use(helmet({ contentSecurityPolicy: false }));
const allowedOrigins = process.env.ALLOWED_ORIGINS
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())