From 69ae731dab52a8a4aca63e47722f08504647fc23 Mon Sep 17 00:00:00 2001
From: svemagie <869694+svemagie@users.noreply.github.com>
Date: Fri, 27 Mar 2026 09:43:09 +0100
Subject: [PATCH] fix(rate-limit): suppress ERR_ERL_PERMISSIVE_TRUST_PROXY
 behind nginx reverse proxy

---
 lib/mastodon/router.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/mastodon/router.js b/lib/mastodon/router.js
index ffd1b0f..3a28efa 100644
--- a/lib/mastodon/router.js
+++ b/lib/mastodon/router.js
@@ -28,6 +28,7 @@ const apiLimiter = rateLimit({
   max: 300,
   standardHeaders: true,
   legacyHeaders: false,
+  validate: { trustProxy: false }, // behind nginx reverse proxy; trust proxy is intentional
   message: { error: "Too many requests, please try again later" },
 });
 
@@ -36,6 +37,7 @@ const authLimiter = rateLimit({
   max: 30,
   standardHeaders: true,
   legacyHeaders: false,
+  validate: { trustProxy: false },
   message: { error: "Too many authentication attempts" },
 });
 
@@ -44,6 +46,7 @@ const appRegistrationLimiter = rateLimit({
   max: 25,
   standardHeaders: true,
   legacyHeaders: false,
+  validate: { trustProxy: false },
   message: { error: "Too many app registrations" },
 });