From a1628985939c9e3f8adaf799dadbb16e03648008 Mon Sep 17 00:00:00 2001
From: bitterpanda <bitterpanda@proton.me>
Date: Mon, 9 Feb 2026 16:59:53 +0100
Subject: [PATCH] Add proxy settings documentation

Added documentation for proxy settings and IP address handling.
---
 docs/proxy.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 docs/proxy.md

diff --git a/docs/proxy.md b/docs/proxy.md
new file mode 100644
index 000000000..876d3c093
--- /dev/null
+++ b/docs/proxy.md
@@ -0,0 +1,12 @@
+# Proxy settings
+
+We'll automatically use the `x-forwarded-for` header to determine the client's IP address when behind a proxy.
+
+If you're publicly exposing your server without a load balancer in front of it, you should set the `AIKIDO_TRUST_PROXY` env var to `false` to ensure that the correct IP address is used. Otherwise, someone could potentially spoof their IP address by adding the above header and thus bypassing the rate limiting.
+
+If you need to use a different header to determine the client's IP address, you can set the `AIKIDO_CLIENT_IP_HEADER` environment variable to the name of that header. This will override the default `x-forwarded-for` header.
+
+```bash
+# For DigitalOcean App Platform
+AIKIDO_CLIENT_IP_HEADER=do-connecting-ip flask --app app run 
+```