Skip to content

fix: resolve arcjet ip warning on render by trusting cloudflare proxy#11

Merged
kenneth-loto merged 1 commit into
developfrom
fix/arcjet-ip-render-cloudflare-proxy
Jul 1, 2026
Merged

fix: resolve arcjet ip warning on render by trusting cloudflare proxy#11
kenneth-loto merged 1 commit into
developfrom
fix/arcjet-ip-render-cloudflare-proxy

Conversation

@kenneth-loto

Copy link
Copy Markdown
Owner

Summary

Fixes Arcjet's IP resolution warning on Render by enabling Express proxy trust for Cloudflare, replacing the static proxy CIDR with the cloudflare() helper, and adding a @SkipArcjet() decorator for health check routes that have no client IP.

What's Changed

  • Added NestExpressApplication type and app.set("trust proxy", true) in main.ts so Express reads the real client IP from the x-forwarded-for header set by Cloudflare
  • Created src/common/guards/arcjet-optional.guard.ts extending ArcjetGuard with support for a @SkipArcjet() decorator, allowing individual routes to opt out of Arcjet evaluation
  • Updated arcjet.module.ts to replace the static proxies: ["10.0.0.0/8"] with proxies: [cloudflare()], typed aj as ArcjetNest instead of any, and swapped ArcjetGuard for ArcjetOptionalGuard as the global guard
  • Added @SkipArcjet() to the root GET / endpoint in app.controller.ts since Render's health check probes carry no client IP and would trigger Arcjet warnings on every health check
  • Added live demo URL and cold-start note to README.md

Why

Render's edge infrastructure runs on Cloudflare, which means the real client IP is carried in the x-forwarded-for header rather than the direct socket connection. Without trust proxy true, Express sees the Cloudflare edge node IP instead of the real client, which causes Arcjet to emit an IP resolution warning on every request. The cloudflare() helper ensures Arcjet uses the same Cloudflare-aware IP resolution. Skipping Arcjet on the health check route prevents spurious warnings from Render's probes which have no meaningful client IP to evaluate.

- add NestExpressApplication type and app.set trust proxy true in main.ts so express reads
the real client ip from cloudflare forwarded headers
- create src/common/guards/arcjet-optional.guard.ts extending ArcjetGuard with SkipArcjet
decorator support for exempting specific routes
- update arcjet.module.ts to replace proxies 10.0.0.0/8 with cloudflare() helper, type aj as
ArcjetNest instead of any, and swap ArcjetGuard for ArcjetOptionalGuard
- add SkipArcjet decorator to root GET / in app.controller.ts to skip arcjet on render health
check probes which have no client ip
- add live demo url and cold-start note to README.md
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Base branch auto-updated: This PR has been redirected from main to develop. Please ensure feature, fix, or chore branches are integrated into develop before production releases.

@github-actions github-actions Bot changed the base branch from main to develop July 1, 2026 04:24
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@kenneth-loto kenneth-loto merged commit 21609a6 into develop Jul 1, 2026
11 checks passed
@kenneth-loto kenneth-loto deleted the fix/arcjet-ip-render-cloudflare-proxy branch July 1, 2026 04:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant