Skip to content

fix: honor X-Forwarded-For for rate limits behind trusted proxies#221

Merged
chriscarrollsmith merged 2 commits into
mainfrom
fix/217-rate-limit-trusted-proxy
Jul 2, 2026
Merged

fix: honor X-Forwarded-For for rate limits behind trusted proxies#221
chriscarrollsmith merged 2 commits into
mainfrom
fix/217-rate-limit-trusted-proxy

Conversation

@chriscarrollsmith

Copy link
Copy Markdown
Contributor

Summary

  • Derive rate-limit client IPs from the left-most valid X-Forwarded-For hop when the immediate peer is in TRUSTED_PROXY_IPS
  • Enable uvicorn ProxyHeadersMiddleware when trusted proxies are configured
  • Document TRUSTED_PROXY_IPS in .env.example and add unit tests

Closes #217

Test plan

  • uv run pytest tests/utils/test_rate_limit.py tests/routers/core/test_account.py -k rate_limit
  • uv run ty check .

chriscarrollsmith and others added 2 commits July 2, 2026 16:32
Parse client IPs from X-Forwarded-For only when the immediate peer is listed
in TRUSTED_PROXY_IPS, and enable ProxyHeadersMiddleware in that case.
@chriscarrollsmith
chriscarrollsmith merged commit aeac6e5 into main Jul 2, 2026
2 checks passed
@chriscarrollsmith
chriscarrollsmith deleted the fix/217-rate-limit-trusted-proxy branch July 2, 2026 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: rate limiting breaks behind reverse proxy

1 participant