Hello, I have noticed that request.ip returns req.connection.remoteAddress by default which works when testing. When deployed on Render, it returns the same IP for all incoming requests which I assume is the IP of a load balancer or reverse proxy from what I understand.
I researched and found out I can use app.set(“trust proxy”, true) to trust the X-Forwarded-Header to get the client IP and this worked. However, to test the security of this I tried sending requests with the X-Forwarded-Header set to spoof my IP and it worked. I realised that the Render reverse proxy does not filter out any incoming X-Forwarded-For headers, but it just appends the proxy IP to that list. So I decided to just get the second to last IP address in the X-Forwarded-For list, the one before the IP of the reverse proxy. I just wanted to ask if this is all intended behaviour and if there is a better way of getting the client IP in this scenario.