diff --git a/lib/mastodon/router.js b/lib/mastodon/router.js
index ffd1b0f..12bb057 100644
--- a/lib/mastodon/router.js
+++ b/lib/mastodon/router.js
@@ -22,13 +22,17 @@ import searchRouter from "./routes/search.js";
 import mediaRouter from "./routes/media.js";
 import stubsRouter from "./routes/stubs.js";
 
-// Rate limiters for different endpoint categories
+// Rate limiters for different endpoint categories.
+// validate.trustProxy disabled — Indiekit sets Express trust proxy to true
+// (behind Cloudron/nginx), which express-rate-limit v7+ rejects as too
+// permissive. The proxy is trusted infrastructure, not user-controlled.
 const apiLimiter = rateLimit({
   windowMs: 5 * 60 * 1000, // 5 minutes
   max: 300,
   standardHeaders: true,
   legacyHeaders: false,
   message: { error: "Too many requests, please try again later" },
+  validate: { trustProxy: false },
 });
 
 const authLimiter = rateLimit({
@@ -37,6 +41,7 @@ const authLimiter = rateLimit({
   standardHeaders: true,
   legacyHeaders: false,
   message: { error: "Too many authentication attempts" },
+  validate: { trustProxy: false },
 });
 
 const appRegistrationLimiter = rateLimit({
@@ -45,6 +50,7 @@ const appRegistrationLimiter = rateLimit({
   standardHeaders: true,
   legacyHeaders: false,
   message: { error: "Too many app registrations" },
+  validate: { trustProxy: false },
 });
 
 /**
diff --git a/package.json b/package.json
index 339017a..db396cb 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.10.5",
+  "version": "3.10.6",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",