Skip to content

Fix rate limiting behind Render proxy (trust proxy) #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ChrisAdamsdevelopment merged 1 commit into from
Jun 1, 2026
Merged

Fix rate limiting behind Render proxy (trust proxy) #50

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,12 @@ function requireAuth(req, res, next) {
// ─────────────────────────────────────────────────────────────────────────────
const app = express();

// Render (and most PaaS hosts) terminate TLS at a single reverse proxy that
// forwards the client IP in X-Forwarded-For. Trust exactly one proxy hop so
// express-rate-limit can identify clients by real IP without trusting a
// spoofable header chain. See ERR_ERL_UNEXPECTED_X_FORWARDED_FOR.
app.set('trust proxy', 1);

const LOCAL_DEV_ORIGINS = [
'http://localhost:5173',
'http://127.0.0.1:5173',
Expand Down
Loading