Set Express 'trust proxy' to 1 for rate limiting behind Render's proxy

claude · claude · commit 6419b10fbda3 · 2026-06-01T05:31:26.000Z
Render forwards the client IP via X-Forwarded-For through a single reverse
proxy. With Express's default trust proxy=false, express-rate-limit throws
ERR_ERL_UNEXPECTED_X_FORWARDED_FOR and cannot key requests by client IP.
Trusting exactly one proxy hop resolves the error without trusting a
spoofable header chain. Verified: a request with X-Forwarded-For to the
rate-limited /api/login route no longer throws.
diff --git a/server.js b/server.js
@@ -172,6 +172,12 @@ function requireAuth(req, res, next) {
 // ─────────────────────────────────────────────────────────────────────────────
 const app = express();
 
+// Render (and most PaaS hosts) terminate TLS at a single reverse proxy that
+// forwards the client IP in X-Forwarded-For. Trust exactly one proxy hop so
+// express-rate-limit can identify clients by real IP without trusting a
+// spoofable header chain. See ERR_ERL_UNEXPECTED_X_FORWARDED_FOR.
+app.set('trust proxy', 1);
+
 const LOCAL_DEV_ORIGINS = [
   'http://localhost:5173',
   'http://127.0.0.1:5173',
