epicweb-dev · kentcdodds · Jan 31, 2026 · Jan 31, 2026 · Jan 31, 2026 · Jan 31, 2026
diff --git a/docs/skills/epic-security/SKILL.md b/docs/skills/epic-security/SKILL.md
@@ -196,7 +196,7 @@ Epic Stack uses `express-rate-limit` para prevenir abuso.
 
 ```typescript
 // server/index.ts
-import rateLimit from 'express-rate-limit'
+import rateLimit, { ipKeyGenerator } from 'express-rate-limit'
 
 const rateLimitDefault = {
 	windowMs: 60 * 1000, // 1 minute
@@ -205,7 +205,8 @@ const rateLimitDefault = {
 	legacyHeaders: false,
 	validate: { trustProxy: false },
 	keyGenerator: (req: express.Request) => {
-		return req.get('fly-client-ip') ?? `${req.ip}`
+		const clientIp = req.get('fly-client-ip') ?? req.ip
+		return ipKeyGenerator(clientIp)
 	},
 }
 
@@ -508,13 +509,18 @@ export default function SignupRoute({ actionData }: Route.ComponentProps) {
 
 ```typescript
 // server/index.ts
+import { ipKeyGenerator } from 'express-rate-limit'
 const apiRateLimit = rateLimit({
 	...rateLimitDefault,
 	windowMs: 60 * 1000,
 	limit: 100, // 100 requests per minute for API
 	keyGenerator: (req) => {
 		const apiKey = req.get('X-API-Key')
-		return apiKey ?? req.get('fly-client-ip') ?? req.ip
+		if (apiKey) {
+			return apiKey
+		}
+		const clientIp = req.get('fly-client-ip') ?? req.ip
+		return ipKeyGenerator(clientIp)
 	},
 })
 

diff --git a/server/index.ts b/server/index.ts
@@ -4,7 +4,7 @@ import chalk from 'chalk'
 import closeWithGrace from 'close-with-grace'
 import compression from 'compression'
 import express from 'express'
-import rateLimit from 'express-rate-limit'
+import rateLimit, { ipKeyGenerator } from 'express-rate-limit'
 import getPort, { portNumbers } from 'get-port'
 import helmet from 'helmet'
 import morgan from 'morgan'
@@ -128,7 +128,12 @@ const rateLimitDefault = {
 	// When sitting behind a CDN such as cloudflare, replace fly-client-ip with the CDN
 	// specific header such as cf-connecting-ip
 	keyGenerator: (req: express.Request) => {
-		return req.get('fly-client-ip') ?? `${req.ip}`
+		const clientIp: string =
+			req.get('fly-client-ip') ??
+			req.ip ??
+			req.socket.remoteAddress ??
+			'0.0.0.0'
+		return ipKeyGenerator(clientIp)
 	},
 }