Restore original visitor IP addresses when your Node.js app is behind Cloudflare. This package validates that the incoming connection comes from Cloudflare IP ranges before honoring Cloudflare headers like CF-Connecting-IP or True-Client-IP.
When your application is behind Cloudflare, the direct connection comes from Cloudflare's servers, not the actual visitor. Cloudflare provides the real visitor IP in headers like CF-Connecting-IP. However, blindly trusting these headers is a security risk - anyone could spoof them.
This package:
- Validates the connection is actually from Cloudflare by checking IP ranges
- Only then trusts Cloudflare headers to get the real visitor IP
- Works with Express, Fastify, and any Node.js HTTP server
- Includes bundled Cloudflare IP ranges + ability to fetch latest ranges
- Secure: Validates Cloudflare IP ranges before trusting headers
- Framework agnostic: Works with Express, Fastify, raw HTTP servers, and more
- Lightweight: Minimal dependencies (only
range_checkfor IP validation) - Auto-update: Fetch latest Cloudflare IP ranges on demand
- TypeScript: Includes TypeScript definitions
- Fast: Bundled ranges for offline operation
npm install node-cloudflare-realipPackage is now live on npm! Visit: https://www.npmjs.com/package/node-cloudflare-realip
Alternative package managers:
# Using Yarn
yarn add node-cloudflare-realip
# Using pnpm
pnpm add node-cloudflare-realip
# Using Bun
bun add node-cloudflare-realipconst express = require('express');
const cloudflareRealIp = require('node-cloudflare-realip');
const app = express();
// Load Cloudflare IP ranges
cloudflareRealIp.load();
// Apply middleware
app.use(cloudflareRealIp.express());
app.get('/', (req, res) => {
res.send('Your IP: ' + req.realIp);
});
app.listen(3000);const fastify = require('fastify')();
const cloudflareRealIp = require('node-cloudflare-realip');
cloudflareRealIp.load();
fastify.addHook('onRequest', cloudflareRealIp.fastify());
fastify.get('/', async (request, reply) => {
return { ip: request.realIp };
});
fastify.listen({ port: 3000 });const http = require('http');
const cloudflareRealIp = require('node-cloudflare-realip');
cloudflareRealIp.load();
http.createServer((req, res) => {
if (cloudflareRealIp.check(req)) {
req.realIp = cloudflareRealIp.get(req);
}
res.end('Your IP: ' + (req.realIp || req.socket.remoteAddress));
}).listen(3000);Load Cloudflare IP ranges from bundled ranges.json. Returns a Promise if no callback provided.
Fetch the latest IP ranges from Cloudflare's official endpoints. Returns a Promise with updated ranges.
Returns true if the request comes from a Cloudflare IP and has CF headers.
Returns the real visitor IP from Cloudflare headers or falls back to socket address.
Returns Express middleware that automatically sets req.realIp.
Returns Fastify onRequest hook function.
- Full Usage Guide
- Examples - Express, Fastify, HTTP, TypeScript examples
- Official Cloudflare Docs
- Checks if request has Cloudflare headers (
CF-Connecting-IPorTrue-Client-IP) - Validates the connection's IP address is in Cloudflare's IP ranges
- If validated, trusts the Cloudflare header and sets
req.realIp - Optionally overrides
req.socket.remoteAddressfor seamless integration
This package only trusts Cloudflare headers when the connection originates from verified Cloudflare IP ranges. This prevents IP spoofing attacks where malicious users could send fake CF-Connecting-IP headers.
See docs/usage.md for publishing instructions.
MIT
- npm Package: https://www.npmjs.com/package/node-cloudflare-realip
- GitHub Repository: https://github.com/ProgrammerNomad/node-cloudflare-realip
- Issues: https://github.com/ProgrammerNomad/node-cloudflare-realip/issues
Secure Node.js utility to restore real visitor IPs behind Cloudflare by validating Cloudflare IP ranges.