fix: enable trust proxy for correct rate limiting behind reverse proxy

Without this, rate limiting uses the proxy's IP instead of actual client IPs,
causing all requests through Cloudflare to be rate limited together.

Author: Guro

src/index.ts

@@ -44,6 +44,10 @@ async function main() {
 
   const app = express();
 
+  // Trust proxy headers (X-Forwarded-For, etc.) when behind reverse proxy (Cloudflare, etc.)
+  // This is required for rate limiting to work correctly with real client IPs
+  app.set('trust proxy', true);
+
   // Basic middleware
   // Intentionally permissive CORS for public MCP reference server
   // This allows any MCP client to test against this reference implementation