Express behind proxies
When running an Express app behind a proxy, set (using app.set()) the application variable
trust proxy to one of the values listed in the following table.
While the app will not fail to run if the application variable
trust proxy is not set, it will incorrectly register the proxy’s IP address as the client IP address unless
trust proxy is configured.
An IP address, subnet, or an array of IP addresses, and subnets to trust. The following is the list of pre-configured subnet names.
Set IP addresses in any of the following ways:
When specified, the IP addresses or the subnets are excluded from the address determination process, and the untrusted IP address nearest to the application server is determined as the client’s IP address.
Custom trust implementation. Use this only if you know what you are doing.
Setting a non-
trust proxy value results in two important changes:
X-Forwarded-Protomay be set by the reverse proxy to tell the app whether it is https or simply http. This value is reflected by req.protocol.
trust proxy setting is implemented using the proxy-addr package. For more information, see its documentation.