From 6419b10fbda3d64e08e8cd8139034dde8b053c67 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 1 Jun 2026 05:31:26 +0000
Subject: [PATCH] Set Express 'trust proxy' to 1 for rate limiting behind
 Render's proxy

Render forwards the client IP via X-Forwarded-For through a single reverse
proxy. With Express's default trust proxy=false, express-rate-limit throws
ERR_ERL_UNEXPECTED_X_FORWARDED_FOR and cannot key requests by client IP.
Trusting exactly one proxy hop resolves the error without trusting a
spoofable header chain. Verified: a request with X-Forwarded-For to the
rate-limited /api/login route no longer throws.
---
 server.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server.js b/server.js
index e44df0b..c4b17ca 100644
--- a/server.js
+++ b/server.js
@@ -172,6 +172,12 @@ function requireAuth(req, res, next) {
 // ─────────────────────────────────────────────────────────────────────────────
 const app = express();
 
+// Render (and most PaaS hosts) terminate TLS at a single reverse proxy that
+// forwards the client IP in X-Forwarded-For. Trust exactly one proxy hop so
+// express-rate-limit can identify clients by real IP without trusting a
+// spoofable header chain. See ERR_ERL_UNEXPECTED_X_FORWARDED_FOR.
+app.set('trust proxy', 1);
+
 const LOCAL_DEV_ORIGINS = [
   'http://localhost:5173',
   'http://127.0.0.1:5173',