What does "trust proxy" actually do in express.js, and do I need to use it?

joeycozza picture joeycozza · May 1, 2014 · Viewed 38.3k times · Source

I am writing an express app that sits behind an nginx server. I was reading through express's documentation and it mentioned the 'trust proxy' setting. All it says is

trust proxy Enables reverse proxy support, disabled by default

I read the little article here that explains Secure Sessions in Node with nginx.

http://blog.nikmartin.com/2013/07/secure-sessions-in-nodejs-with-nginx.html

So I am curious. Does setting 'trust proxy' to true only matter when using HTTPS? Currently my app is just HTTP between the client and nginx. If I set it to true now, are there any side-effects/repercussions I need to be aware of? Is there any point to setting it true now?

Answer

Akshat Jiwan Sharma picture Akshat Jiwan Sharma · May 2, 2014

This is explained in detail in the express behind the proxies guide

By enabling the "trust proxy" setting via app.enable('trust proxy'), Express will have knowledge that it's sitting behind a proxy and that the X-Forwarded-* header fields may be trusted, which otherwise may be easily spoofed.

Enabling this setting has several subtle effects. The first of which is that X-Forwarded-Proto may be set by the reverse proxy to tell the app that it is https or simply http. This value is reflected by req.protocol.

The second change this makes is the req.ip and req.ips values will be populated with X-Forwarded-For's list of addresses.