{
  "instruction": "Set trust proxy for correct client IP detection behind reverse proxies",
  "relevant_when": "Agent creates or modifies an Express application that will run behind a reverse proxy, load balancer, CDN, or in any cloud deployment",
  "context": "Without trust proxy, req.ip returns the proxy's IP, breaking rate limiting and IP logging. Set trust proxy to the number of proxy hops (e.g., 1 for a single reverse proxy). Never set trust proxy to true, which blindly trusts X-Forwarded-For and allows IP spoofing. When the deployment topology is not specified, default to 1.",
  "sources": [
    {
      "type": "file",
      "filename": "skills/express-security-basics/SKILL.md",
      "tile": "tessl-labs/express-security-basics@0.2.0"
    }
  ],
  "checklist": [
    {
      "name": "trust-proxy-set",
      "rule": "Agent sets app.set('trust proxy', N) where N is a number matching the proxy hop count, or uses 'loopback' for localhost proxies",
      "relevant_when": "Agent creates or modifies an Express application"
    },
    {
      "name": "trust-proxy-not-true",
      "rule": "Agent does not set trust proxy to true (boolean), which blindly trusts all X-Forwarded-For entries and allows IP spoofing",
      "relevant_when": "Agent sets trust proxy"
    }
  ]
}