diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
index 8caa826..5fac63e 100644
--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@@ -415,6 +415,27 @@ If legitimate users hit rate limits:
 - Implement authentication for higher limits
 - Consider using API keys
 
+### Rate Limiting Not Working (All Users Blocked Together)
+
+**Error in logs**:
+```
+ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false
+```
+
+**Cause**: Server is behind a reverse proxy (Render, Heroku, etc.) but Express doesn't trust proxy headers.
+
+**Impact**: All users appear to have the same IP address, so they share one rate limit bucket. When one user hits the limit, everyone gets blocked.
+
+**Solution**: Already fixed in `server-http.js` with:
+```javascript
+app.set('trust proxy', true);
+```
+
+If you still see this error:
+1. Pull latest code from repository
+2. Redeploy to your hosting platform
+3. Verify logs no longer show the ValidationError
+
 ### Connection Timeouts
 
 If requests timeout:
diff --git a/server-http.js b/server-http.js
index ad947fe..0e692fa 100644
--- a/server-http.js
+++ b/server-http.js
@@ -661,6 +661,10 @@ ${match.context}
 // Create Express app
 const app = express();
 
+// Trust proxy headers (required for Render, Heroku, etc.)
+// This allows rate limiting to work correctly behind reverse proxies
+app.set('trust proxy', true);
+
 // Enable CORS
 app.use(cors());