🔒 security(api): warn when trust proxy is boolean true

s-b-e-n-s-o-n · s-b-e-n-s-o-n · commit 71eac0087723 · 2026-06-01T14:50:32.000-04:00
DD_SERVER_TRUSTPROXY=true trusts ALL X-Forwarded-For hops, letting
clients spoof req.ip and evade the per-IP login lockout. Emit a startup
warning steering operators to a hop count (DD_SERVER_TRUSTPROXY=1). Trust
proxy behavior itself is unchanged.
diff --git a/app/api/index.test.ts b/app/api/index.test.ts
@@ -760,6 +760,63 @@ describe('API Index', () => {
     expect(mockApp.set).toHaveBeenCalledWith('trust proxy', true);
   });
 
+  test('should warn when trustproxy is boolean true (XFF spoofing risk)', async () => {
+    mockGetServerConfiguration.mockReturnValue({
+      enabled: true,
+      port: 3000,
+      cors: {},
+      tls: {},
+      trustproxy: true,
+    });
+
+    vi.resetModules();
+    const indexRouter = await import('./index.js');
+    await indexRouter.init();
+
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('trust proxy is set to boolean true'),
+    );
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('DD_SERVER_TRUSTPROXY=1'));
+  });
+
+  test('should not warn when trustproxy is a hop count number', async () => {
+    mockGetServerConfiguration.mockReturnValue({
+      enabled: true,
+      port: 3000,
+      cors: {},
+      tls: {},
+      trustproxy: 1,
+    });
+
+    vi.resetModules();
+    const indexRouter = await import('./index.js');
+    await indexRouter.init();
+
+    const trustProxyWarning = mockLog.warn.mock.calls.find((args) =>
+      args[0]?.includes?.('trust proxy is set to boolean true'),
+    );
+    expect(trustProxyWarning).toBeUndefined();
+  });
+
+  test('should not warn when trustproxy is false', async () => {
+    mockGetServerConfiguration.mockReturnValue({
+      enabled: true,
+      port: 3000,
+      cors: {},
+      tls: {},
+      trustproxy: false,
+    });
+
+    vi.resetModules();
+    const indexRouter = await import('./index.js');
+    await indexRouter.init();
+
+    const trustProxyWarning = mockLog.warn.mock.calls.find((args) =>
+      args[0]?.includes?.('trust proxy is set to boolean true'),
+    );
+    expect(trustProxyWarning).toBeUndefined();
+  });
+
   test('should set json replacer', async () => {
     mockGetServerConfiguration.mockReturnValue({
       enabled: true,
diff --git a/app/api/index.ts b/app/api/index.ts
@@ -195,6 +195,13 @@ function createApp() {
 
   // Trust proxy (helpful to resolve public facing hostname & protocol)
   if (configuration.trustproxy !== false) {
+    if (configuration.trustproxy === true) {
+      log.warn(
+        'trust proxy is set to boolean true, which trusts ALL X-Forwarded-For hops. ' +
+          'Clients can spoof req.ip and evade per-IP login lockout. ' +
+          'Operators behind a single proxy should set DD_SERVER_TRUSTPROXY=1 (the exact hop count) instead.',
+      );
+    }
     app.set('trust proxy', configuration.trustproxy);
   }
 
