Severity: Medium
Component: express-rate-limit middleware
The application uses express-rate-limit without setting app.set('trust proxy', 1) in the Express app. When deployed behind a reverse proxy (Nginx, Caddy, Traefik — which is the standard deployment scenario for a self-hosted application), all incoming requests share the same IP address (127.0.0.1 of the proxy). This causes:
-
All users to share a single rate-limit bucket
-
The admin backend to become inaccessible after only a few interactions, as parallel API calls from the dashboard exhaust the limit of 100 requests per 15 minutes for all users simultaneously
-
The rate limiter providing zero actual protection against brute-force or DDoS, since it limits all traffic indiscriminately regardless of origin
Recommendation:
Add app.set('trust proxy', 1) immediately after Express initialization so that req.ip correctly reads the real client IP from the X-Forwarded-For header. Additionally, consider raising the limit for authenticated admin routes or excluding them entirely from the general rate limiter.
In addition, the RateLimiter button in the admin backend has no effect on the behavior.
Severity: Medium
Component: express-rate-limit middleware
The application uses express-rate-limit without setting app.set('trust proxy', 1) in the Express app. When deployed behind a reverse proxy (Nginx, Caddy, Traefik — which is the standard deployment scenario for a self-hosted application), all incoming requests share the same IP address (127.0.0.1 of the proxy). This causes:
Recommendation:
Add app.set('trust proxy', 1) immediately after Express initialization so that req.ip correctly reads the real client IP from the X-Forwarded-For header. Additionally, consider raising the limit for authenticated admin routes or excluding them entirely from the general rate limiter.
In addition, the RateLimiter button in the admin backend has no effect on the behavior.