Add support for Cloudflare cf-connecting-ip header

[simonkberg]

Summary

Updated the IP address detection logic to prioritize the Cloudflare cf-connecting-ip header over other IP headers, with corresponding test coverage.

Key Changes

• Modified identifiers() function to check cf-connecting-ip header first before falling back to x-forwarded-for and x-real-ip
• Added test case to verify IP extraction from cf-connecting-ip header
• Added test case to verify cf-connecting-ip takes precedence when multiple IP headers are present

Implementation Details

The IP detection now follows this priority order:

1. cf-connecting-ip (Cloudflare)
2. x-forwarded-for (takes first value from comma-separated list)
3. x-real-ip
4. undefined (fallback)

This change ensures that when running behind Cloudflare, the actual client IP is correctly identified from Cloudflare's header rather than potentially stale forwarded headers.

https://claude.ai/code/session_01GSXb76ipr99cDh7zBnavAu

[railway-app]

🚅 Deployed to the simon.dev-pr-1614 environment in simon.dev

Service	Status	Web	Updated (UTC)
simon.dev	✅ Success (View Logs)	Web	Feb 23, 2026 at 10:42 am

[claude]

Claude finished @simonkberg's task in 52s —— View job

---

Code Review

• Gather context
• Read changed files
• Review implementation
• Review tests
• Post findings

---

The change is minimal, focused, and correct. A single line addition in identifiers.ts and two well-targeted test cases in identifiers.test.ts.

Implementation (app/lib/identifiers.ts)

The priority chain is clean and idiomatic:

ip:
  headersList.get("cf-connecting-ip") ??
  headersList.get("x-forwarded-for")?.split(",")[0] ??
  headersList.get("x-real-ip") ??
  undefined,

cf-connecting-ip is correctly handled without .split(",")[0] — Cloudflare always sends it as a single IP, so that's the right call.

One security note worth keeping in mind: cf-connecting-ip should only be trusted when traffic actually flows through Cloudflare. If something were to hit the origin directly (e.g., via Railway's public URL), this header could be spoofed. The same caveat applies to x-forwarded-for and x-real-ip, so this isn't a regression — just something to be aware of if the origin is ever exposed outside Cloudflare.

Tests (app/lib/identifiers.test.ts)

The two new tests cover exactly what they need to:

• Basic extraction from cf-connecting-ip
• Precedence over both x-forwarded-for and x-real-ip simultaneously

The existing tests for x-forwarded-for (single and multi-IP), x-real-ip, user-agent, and the missing-headers fallback remain intact, so coverage of the full priority chain is solid.

No issues to flag. LGTM.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.81%. Comparing base (87209e2) to head (00ee8f2).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1614   +/-   ##
=======================================
  Coverage   97.81%   97.81%           
=======================================
  Files          49       49           
  Lines         916      916           
  Branches      161      161           
=======================================
  Hits          896      896           
  Misses          8        8           
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.