Fix rate limiting behind reverse proxy (trust proxy headers)
Critical Fix:
- Added app.set('trust proxy', true) to server-http.js
- Fixes ValidationError about X-Forwarded-For headers
- Allows rate limiting to work correctly on Render/Heroku/etc
Problem:
- Without trust proxy, Express doesn't recognize real client IPs
- All users appear to have the same IP (the proxy's IP)
- Rate limiting applied to ALL users as a single entity
- One user hitting limit blocks everyone
Solution:
- Trust X-Forwarded-For headers from reverse proxies
- Each user now has their own rate limit bucket
- Rate limiting works as designed (50 req/min per IP)
Documentation:
- Added troubleshooting section in DEPLOYMENT.md
- Explains the error and impact
- Shows how to verify the fix
This is required for any deployment behind a reverse proxy
(Render, Heroku, AWS ELB, nginx, etc.)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Lee Hanken
@@ -661,6 +661,10 @@ ${match.context}
|
||||
// Create Express app
|
||||
const app = express();
|
||||
|
||||
// Trust proxy headers (required for Render, Heroku, etc.)
|
||||
// This allows rate limiting to work correctly behind reverse proxies
|
||||
app.set('trust proxy', true);
|
||||
|
||||
// Enable CORS
|
||||
app.use(cors());
|
||||
|
||||
|
||||
Reference in New Issue
Block a user