Skip to content

Fix rate limiting behind Render proxy (trust proxy)#50

Merged
ChrisAdamsdevelopment merged 1 commit into
mainfrom
claude/fix-trust-proxy-rate-limit
Jun 1, 2026
Merged

Fix rate limiting behind Render proxy (trust proxy)#50
ChrisAdamsdevelopment merged 1 commit into
mainfrom
claude/fix-trust-proxy-rate-limit

Conversation

@ChrisAdamsdevelopment
Copy link
Copy Markdown
Owner

@ChrisAdamsdevelopment ChrisAdamsdevelopment commented Jun 1, 2026
edited by sourcery-ai Bot
Loading

Problem

On Render the app boots but logs ValidationError: ERR_ERL_UNEXPECTED_X_FORWARDED_FOR on rate-limited routes:

The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default).

Render terminates TLS at a reverse proxy and forwards the client IP via X-Forwarded-For. With Express's default trust proxy=false, express-rate-limit (added in #48) can't determine the real client IP and throws, so rate-limited routes (/api/login, /api/register, /api/auth/*, /api/*) misbehave.

Fix

One line after const app = express():

app.set('trust proxy', 1);

Trusting exactly one proxy hop (not true) lets rate-limiting key on the real client IP without trusting a spoofable X-Forwarded-For chain — the configuration express-rate-limit recommends for single-proxy PaaS hosts like Render.

Verification

  • node --check server.js passes.
  • Booted the server and sent a request with X-Forwarded-For: 203.0.113.7 to the rate-limited /api/login: returns a normal 401 and produces zero ERR_ERL_UNEXPECTED_X_FORWARDED_FOR / ValidationError log entries (previously threw on every such request).

https://claude.ai/code/session_01Db78Ftpd21HmNSHHi6hwYS

Generated by Claude Code

Summary by Sourcery

Bug Fixes:

  • Fix rate-limited routes failing behind a Render proxy due to X-Forwarded-For validation errors when trust proxy is disabled.

@claude
Set Express 'trust proxy' to 1 for rate limiting behind Render's proxy
6419b10 
Render forwards the client IP via X-Forwarded-For through a single reverse
proxy. With Express's default trust proxy=false, express-rate-limit throws
ERR_ERL_UNEXPECTED_X_FORWARDED_FOR and cannot key requests by client IP.
Trusting exactly one proxy hop resolves the error without trusting a
spoofable header chain. Verified: a request with X-Forwarded-For to the
rate-limited /api/login route no longer throws.
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
spectracleanseai Ready Ready Preview, Comment, Open in v0 Jun 1, 2026 5:31am

@sourcery-ai
Copy link
Copy Markdown

sourcery-ai Bot commented Jun 1, 2026
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Configures Express to trust a single proxy hop so express-rate-limit can safely use X-Forwarded-For behind Render’s reverse proxy, resolving ERR_ERL_UNEXPECTED_X_FORWARDED_FOR on rate-limited routes.

Sequence diagram for request handling with trust proxy and express-rate-limit

sequenceDiagram
    actor Client
    participant RenderProxy
    participant ExpressApp
    participant rateLimit

    Client->>RenderProxy: HTTP /api/login
    RenderProxy->>ExpressApp: Forward request
    ExpressApp->>ExpressApp: app.set(trust_proxy, 1)
    ExpressApp->>rateLimit: rateLimit(req, res, next)

    alt before_trust_proxy
        rateLimit->>rateLimit: req.ip uses remoteAddress
        rateLimit-->>ExpressApp: ValidationError ERR_ERL_UNEXPECTED_X_FORWARDED_FOR
        ExpressApp-->>Client: 500 or misbehaving response
    else after_trust_proxy_1
        rateLimit->>rateLimit: req.ip uses X-Forwarded-For (first hop)
        rateLimit-->>ExpressApp: next()
        ExpressApp-->>Client: 401 (normal rate-limited auth flow)
    end
Loading

File-Level Changes

Change Details Files
Enable Express to trust a single reverse proxy so rate limiting works correctly behind Render.
  • Call app.set('trust proxy', 1) immediately after Express app initialization.
  • Document in comments that Render (and similar PaaS) terminate TLS at a single proxy and forward client IP via X-Forwarded-For.
  • Explain in comments that trusting exactly one hop lets express-rate-limit use the real client IP without trusting an arbitrary X-Forwarded-For chain and references ERR_ERL_UNEXPECTED_X_FORWARDED_FOR.
 server.js
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@ChrisAdamsdevelopment ChrisAdamsdevelopment marked this pull request as ready for review June 1, 2026 05:33
@ChrisAdamsdevelopment ChrisAdamsdevelopment merged commit 0239afc into main Jun 1, 2026
6 checks passed
sourcery-ai[bot]
sourcery-ai Bot reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • Consider making the trust proxy setting configurable (e.g., via an environment variable) so deployments with a different proxy topology than Render can adjust the hop count or disable it without code changes.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- Consider making the `trust proxy` setting configurable (e.g., via an environment variable) so deployments with a different proxy topology than Render can adjust the hop count or disable it without code changes.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ChrisAdamsdevelopment @claude