trust proxy set to true
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
app.set('trust proxy', true) trusts the X-Forwarded-For header from every hop, so a client can spoof its source IP and defeat IP-based rate limiting or allow-lists.
Why it matters
app.set('trust proxy', true) tells Express to trust the X-Forwarded-For header on every request, from any source. A client can then set that header to spoof its IP, which defeats IP-based rate limiting, allow-lists, and audit logs. The setting only makes sense when you know exactly how many proxies sit in front of the app.
How to fix it
Replace true with the specific number of trusted proxy hops (for example app.set('trust proxy', 1) for a single load balancer), or a list of trusted proxy addresses/subnets. If there is no proxy, remove the setting entirely so Express uses the real socket address.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo