extractClientIp
extractClientIp(
headers,ipHeaders?):string
Defined in: src/utils/ip.ts:32
Extract the client IP address from request headers.
Iterates through ipHeaders in order. For comma-separated headers like
X-Forwarded-For, only the first (leftmost) value is returned.
Parameters
Section titled “Parameters”headers
Section titled “headers”An object with a .get(name) method (e.g. Headers, Hono c.req).
ipHeaders?
Section titled “ipHeaders?”readonly string[] = DEFAULT_IP_HEADERS
Ordered list of headers to inspect. Default: DEFAULT_IP_HEADERS.
Returns
Section titled “Returns”string
The extracted IP address, or "unknown" if none found.
Security
Section titled “Security”The X-Forwarded-For header is trivially spoofable by clients
outside of trusted proxy infrastructure. An attacker can set arbitrary IP
values to bypass IP-based allowlists, rate limits, or geo-restrictions.
When deploying behind a load balancer or CDN, configure ipHeaders to
match your proxy’s trusted header (e.g. cf-connecting-ip for Cloudflare,
x-real-ip for nginx) and ensure the proxy strips or overwrites any
client-supplied forwarding headers.