Rate Limiting Should Be Applied Based on X-Forwarded-For Header, Not Server IP. #5
Description
Currently, the rate-limiting implementation is using the c.ClientIP() method in the Gin framework to get the client’s IP address, which by default returns the server IP address when running behind a proxy. This causes the rate limit to be applied incorrectly, as the server’s IP address is used for rate-limiting checks, rather than the actual client IP address. As a result, users behind the same proxy or load balancer will be rate-limited incorrectly, leading to a poor user experience where multiple users may hit the same rate limit despite being distinct clients.
To resolve this, rate-limiting should be applied based on the X-Forwarded-For header, which accurately reflects the client IP address, even when requests are proxied or load-balanced.