From 64abb9f6c386222f4bfd63632537d7bd6592bbe6 Mon Sep 17 00:00:00 2001 From: a1denvalu3 Date: Sat, 18 Apr 2026 19:44:02 +0200 Subject: [PATCH 1/3] fix: update default rate limit proxy settings --- cashu/core/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cashu/core/settings.py b/cashu/core/settings.py index aa8b95e55..4fc7de7e2 100644 --- a/cashu/core/settings.py +++ b/cashu/core/settings.py @@ -111,7 +111,7 @@ class MintLimits(MintSettings): description="IP-based rate limiter.", ) mint_rate_limit_proxy_trust: bool = Field( - default=True, + default=False, title="Trust proxy headers for rate limiting", description=( "Extract client IP from proxy headers (X-Forwarded-For," From 34d39c493c4b6330b8b981203061ccf2c8053a56 Mon Sep 17 00:00:00 2001 From: a1denvalu3 Date: Sat, 18 Apr 2026 19:48:35 +0200 Subject: [PATCH 2/3] feat: add warning when mint_rate_limit_proxy_trust is enabled --- cashu/mint/startup.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cashu/mint/startup.py b/cashu/mint/startup.py index bc84c3673..bc271ac3c 100644 --- a/cashu/mint/startup.py +++ b/cashu/mint/startup.py @@ -47,6 +47,14 @@ logger.debug(f"{key}: {value}") +if settings.mint_rate_limit_proxy_trust: + logger.warning( + "WARNING: mint_rate_limit_proxy_trust is enabled! " + "Ensure your mint is behind a reverse proxy (like Nginx, Caddy, or Cloudflare). " + "If it is exposed directly to the internet, clients can bypass rate limits " + "by spoofing the X-Forwarded-For or CF-Connecting-IP headers." + ) + wallets_module = importlib.import_module("cashu.lightning") backends: Dict[Method, Dict[Unit, LightningBackend]] = {} From 5240e9a452a43dce1188369829fa3afae5706b6e Mon Sep 17 00:00:00 2001 From: a1denvalu3 Date: Mon, 20 Apr 2026 00:27:45 +0200 Subject: [PATCH 3/3] revert: keep mint_rate_limit_proxy_trust default to True --- cashu/core/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cashu/core/settings.py b/cashu/core/settings.py index 4fc7de7e2..aa8b95e55 100644 --- a/cashu/core/settings.py +++ b/cashu/core/settings.py @@ -111,7 +111,7 @@ class MintLimits(MintSettings): description="IP-based rate limiter.", ) mint_rate_limit_proxy_trust: bool = Field( - default=False, + default=True, title="Trust proxy headers for rate limiting", description=( "Extract client IP from proxy headers (X-Forwarded-For,"