extractClientIp
extractClientIp(
headers,options?):string
Defined in: src/utils/ip.ts:59
Extract the client IP address from request headers.
Iterates through ipHeaders in order. For comma-separated headers like
X-Forwarded-For, the behavior depends on options:
- By default, returns the first (leftmost) value
- With
useRightmostForwardedIp: true, returns the last (rightmost) value - With
trustedProxies, validates the leftmost IP against trusted ranges
Parameters
Section titled “Parameters”headers
Section titled “headers”An object with a .get(name) method (e.g. Headers, Hono c.req).
options?
Section titled “options?”ExtractClientIpOptions = {}
Configuration options for IP extraction.
Returns
Section titled “Returns”string
The extracted IP address, or "unknown" if none found.
Security
Section titled “Security”The X-Forwarded-For header is trivially spoofable by clients
outside of trusted proxy infrastructure. An attacker can set arbitrary IP
values to bypass IP-based allowlists, rate limits, or geo-restrictions.
To mitigate:
- Use
cf-connecting-ipwhen behind Cloudflare (not spoofable by clients) - Configure
trustedProxiesto validate X-Forwarded-For IPs - Use
useRightmostForwardedIp: truewhen behind a trusted proxy