npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, πŸ‘‹, I’m Ryan HefnerΒ  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you πŸ™

Β© 2026 – Pkg Stats / Ryan Hefner

get-client-ip

v4.0.0

Published

πŸ“ A Lightweight Utility for Extracting the Real Client IP Address from Incoming HTTP Requests

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

benhalversonbenhalversonwolfieleaderwolfieleader

Keywords

ipexpressnestjsserverbackendmiddlewarehttp

Readme

Highlights ✨

  • Checks 14 sources (headers + socket) in priority order
  • Handles comma-separated, array, and RFC 7239 Forwarded formats
  • Framework compatibility β€” supports Express v5/v4 and NestJS (Express adapter)
  • Flexible usage β€” works standalone or as middleware, and auto-populates typed req.clientIp and req.clientIps
  • Zero config β€” validates IPs using Node.js net.isIP()

Installation πŸ“¦

Requires Node.js >= 18.

npm install get-client-ip
# or
pnpm add get-client-ip

Quick Start πŸš€

import express from "express";
import { getClientIp } from "get-client-ip";

const app = express();

// Middleware β€” auto-populates req.clientIp and req.clientIps
app.use(getClientIp);

app.get("/me", (req, res) => {
  res.json({ ip: req.clientIp, ips: req.clientIps });
});

// Or standalone β€” call directly in a specific route
app.get("/ip", (req, res) => {
  const ip = getClientIp(req);
  res.json({ ip });
});

app.listen(3000);

API Reference πŸ“–

getClientIp(req, res?, next?): string | undefined

Extracts the client's IP address from an incoming request. Works both as a standalone function and as Express middleware. Returns string | undefined.

Side effects: Sets req.clientIp and req.clientIps on the request object when a valid IP is found. Throws if req is undefined.

TypeScript Augmentation

The package augments the Express Request type automatically:

// These properties are available after calling getClientIp
req.clientIp; // string | undefined β€” first valid IP
req.clientIps; // [string, ...string[]] | undefined β€” all valid IPs (non-empty array)

No manual type declarations are needed.

Header Priority πŸ“‹

Sources are checked in the following order. The first valid IP found is returned.

| Priority | Source | Description | | -------- | -------------------------- | -------------------------------------- | | 1 | req.ip | Express trust proxy setting | | 2 | Forwarded | RFC 7239 (parsed for for= directive) | | 3 | CF-Connecting-IP | Cloudflare | | 4 | True-Client-IP | Akamai / Cloudflare Enterprise | | 5 | Fastly-Client-IP | Fastly CDN | | 6 | X-Appengine-User-IP | Google App Engine | | 7 | CF-Pseudo-IPv4 | Cloudflare pseudo-IPv4 | | 8 | X-Client-IP | General proxy header | | 9 | X-Forwarded-For | De facto standard proxy header | | 10 | Forwarded-For | Variant of X-Forwarded-For | | 11 | X-Forwarded | Microsoft variant | | 12 | X-Real-IP | Nginx proxy header | | 13 | X-Cluster-Client-IP | Rackspace / Riverbed | | 14 | req.socket.remoteAddress | Direct connection fallback |

NestJS 🧩

import { Controller, Get, Req } from "@nestjs/common";
import type { Request } from "express";
import { getClientIp } from "get-client-ip";

@Controller()
export class AppController {
  @Get("ip")
  getIp(@Req() req: Request) {
    const ip = getClientIp(req);
    return { ip };
  }
}

Security πŸ›‘οΈ

Header trust warning: When req.ip is not populated, forwarding headers are used only when req.socket.remoteAddress appears to be from a local/private proxy range. Public socket peers skip header fallback to reduce spoofing risk.

In production behind a reverse proxy:

  1. Configure Express's trust proxy setting so that req.ip is correctly populated
  2. This ensures the function returns req.ip first and avoids fallback ambiguity
  3. Without trust proxy, forwarding headers may still be ignored when the peer is public

CGNAT addresses: Addresses in the 100.64.0.0/10 range (RFC 6598) are treated as public, not trusted proxy addresses. Headers are not trusted when the socket peer is a CGNAT address. If your application is behind a load balancer (e.g., AWS ALB), configure Express's trust proxy setting so req.ip is populated correctly.

Credits πŸ™

Inspired by Petar Bojinov's work on client IP detection.

Contributions 🀝

  • Open an issue or feature request
  • Submit a PR to improve the package
  • Star the repo if you find it useful

Crafted carefully by WolfieLeader

This project is licensed under the MIT License.