Skip to content

Comments

Add support for Cloudflare cf-connecting-ip header#1614

Merged
simonkberg merged 1 commit intomainfrom
claude/update-ip-resolver-cf-1wXA1
Feb 23, 2026
Merged

Add support for Cloudflare cf-connecting-ip header#1614
simonkberg merged 1 commit intomainfrom
claude/update-ip-resolver-cf-1wXA1

Conversation

@simonkberg
Copy link
Owner

Summary

Updated the IP address detection logic to prioritize the Cloudflare cf-connecting-ip header over other IP headers, with corresponding test coverage.

Key Changes

  • Modified identifiers() function to check cf-connecting-ip header first before falling back to x-forwarded-for and x-real-ip
  • Added test case to verify IP extraction from cf-connecting-ip header
  • Added test case to verify cf-connecting-ip takes precedence when multiple IP headers are present

Implementation Details

The IP detection now follows this priority order:

  1. cf-connecting-ip (Cloudflare)
  2. x-forwarded-for (takes first value from comma-separated list)
  3. x-real-ip
  4. undefined (fallback)

This change ensures that when running behind Cloudflare, the actual client IP is correctly identified from Cloudflare's header rather than potentially stale forwarded headers.

https://claude.ai/code/session_01GSXb76ipr99cDh7zBnavAu

Add Cloudflare's cf-connecting-ip as the highest priority header
when resolving client IP addresses, ahead of x-forwarded-for and
x-real-ip.

https://claude.ai/code/session_01GSXb76ipr99cDh7zBnavAu
@railway-app railway-app bot temporarily deployed to simon.dev / simon.dev-pr-1614 February 23, 2026 10:40 Destroyed
@railway-app
Copy link

railway-app bot commented Feb 23, 2026

🚅 Deployed to the simon.dev-pr-1614 environment in simon.dev

Service Status Web Updated (UTC)
simon.dev ✅ Success (View Logs) Web Feb 23, 2026 at 10:42 am

@claude
Copy link
Contributor

claude bot commented Feb 23, 2026

Claude finished @simonkberg's task in 52s —— View job


Code Review

  • Gather context
  • Read changed files
  • Review implementation
  • Review tests
  • Post findings

The change is minimal, focused, and correct. A single line addition in identifiers.ts and two well-targeted test cases in identifiers.test.ts.

Implementation (app/lib/identifiers.ts)

The priority chain is clean and idiomatic:

ip:
  headersList.get("cf-connecting-ip") ??
  headersList.get("x-forwarded-for")?.split(",")[0] ??
  headersList.get("x-real-ip") ??
  undefined,

cf-connecting-ip is correctly handled without .split(",")[0] — Cloudflare always sends it as a single IP, so that's the right call.

One security note worth keeping in mind: cf-connecting-ip should only be trusted when traffic actually flows through Cloudflare. If something were to hit the origin directly (e.g., via Railway's public URL), this header could be spoofed. The same caveat applies to x-forwarded-for and x-real-ip, so this isn't a regression — just something to be aware of if the origin is ever exposed outside Cloudflare.

Tests (app/lib/identifiers.test.ts)

The two new tests cover exactly what they need to:

  • Basic extraction from cf-connecting-ip
  • Precedence over both x-forwarded-for and x-real-ip simultaneously

The existing tests for x-forwarded-for (single and multi-IP), x-real-ip, user-agent, and the missing-headers fallback remain intact, so coverage of the full priority chain is solid.

No issues to flag. LGTM.

@codecov
Copy link

codecov bot commented Feb 23, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.81%. Comparing base (87209e2) to head (00ee8f2).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1614   +/-   ##
=======================================
  Coverage   97.81%   97.81%           
=======================================
  Files          49       49           
  Lines         916      916           
  Branches      161      161           
=======================================
  Hits          896      896           
  Misses          8        8           
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@simonkberg simonkberg merged commit 51e23c4 into main Feb 23, 2026
8 checks passed
@simonkberg simonkberg deleted the claude/update-ip-resolver-cf-1wXA1 branch February 23, 2026 10:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants