Skip to content

fix: enable trust proxy to resolve express-rate-limit failure behind reverse proxy#42

Open
Copilot wants to merge 2 commits intomainfrom
copilot/fix-trust-proxy-setting
Open

fix: enable trust proxy to resolve express-rate-limit failure behind reverse proxy#42
Copilot wants to merge 2 commits intomainfrom
copilot/fix-trust-proxy-setting

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 21, 2026
edited
Loading

express-rate-limit throws ERR_ERL_UNEXPECTED_X_FORWARDED_FOR when Express's trust proxy is false (default) and a reverse proxy (e.g., Traefik) adds X-Forwarded-For headers — causing all PATCH and DELETE requests to fail silently.

Changes

  • backend/src/index.ts: Add app.set("trust proxy", 1) immediately after const app = express(), trusting the first upstream proxy hop.
const app = express();
app.set("trust proxy", 1);
Original prompt

Problem

When running behind a reverse proxy (e.g., Traefik in Docker Compose), all PATCH and DELETE requests to the backend fail with the following error:

ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users. See https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/ for more information.
    at Object.xForwardedForHeader (/app/node_modules/express-rate-limit/dist/index.cjs:366:13)
    ...
  code: 'ERR_ERL_UNEXPECTED_X_FORWARDED_FOR',

This means users can create todos but cannot check/uncheck or delete them — the operations silently fail from the user's perspective.

Root Cause

In backend/src/index.ts, the Express app does not have trust proxy enabled. When the frontend sends requests to the backend through a reverse proxy (like Traefik in the Docker Compose setup), the proxy adds an X-Forwarded-For header. The express-rate-limit middleware (used in backend/src/routes/todos.ts) detects this header and throws a ValidationError because Express's trust proxy setting is false by default.

Required Fix

In backend/src/index.ts, add app.set("trust proxy", 1) after creating the Express app. This tells Express to trust the first proxy's X-Forwarded-For header, which resolves the express-rate-limit validation error.

The line should be added right after const app = express(); — for example:

const app = express();
app.set("trust proxy", 1);

This is consistent with the Express documentation recommendation when running behind a reverse proxy, and is specifically recommended by the express-rate-limit library's error page: https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/

Files to Change

  • backend/src/index.ts — add app.set("trust proxy", 1) after const app = express();

This pull request was created from Copilot chat.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@dkrizic
fix: enable trust proxy in Express to support reverse proxy setups
186d926 
Co-authored-by: dkrizic <1181349+dkrizic@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix trust proxy setting in Express app fix: enable trust proxy to resolve express-rate-limit failure behind reverse proxy Feb 21, 2026
Copilot AI requested a review from dkrizic February 21, 2026 19:47
@dkrizic dkrizic marked this pull request as ready for review February 21, 2026 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dkrizic dkrizic Awaiting requested review from dkrizic

Assignees

@dkrizic dkrizic

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dkrizic