diff --git a/common/config.go b/common/config.go
index e85bfc6..7ee6594 100644
--- a/common/config.go
+++ b/common/config.go
@@ -70,6 +70,12 @@ const (
 type Config struct {
 	Listen string `yaml:"listen"`
 
+	// TrustedProxies is a list of trusted proxy IPs or CIDRs.
+	// When set, Gin will only trust X-Forwarded-For from these sources.
+	// When empty (default), proxy headers are not trusted and ClientIP()
+	// returns the direct remote address.
+	TrustedProxies []string `yaml:"trusted-proxies"`
+
 	Db DbConfig `yaml:"db"`
 
 	APIPath string `yaml:"api-path"`
diff --git a/docs/config.yml b/docs/config.yml
index 312baca..b0c9ede 100644
--- a/docs/config.yml
+++ b/docs/config.yml
@@ -1,6 +1,21 @@
 # The application will listen at this address
 listen: :8089
 
+# Trusted proxy IPs or CIDRs.
+# When set, Gin will only trust X-Forwarded-For headers from these sources
+# to determine the client IP. This is important for IP-based rate limiting
+# and logging to work correctly.
+# When empty or not set (default), proxy headers are NOT trusted and
+# ClientIP() returns the direct remote address (most secure default).
+# If go-drive is running behind a reverse proxy (e.g. Nginx), you MUST
+# configure this to include the proxy's IP/CIDR, otherwise the real
+# client IP will not be recognized.
+#trusted-proxies:
+#  - 127.0.0.1
+#  - 10.0.0.0/8
+#  - 172.16.0.0/12
+#  - 192.168.0.0/16
+
 db:
   # database type: currently supports sqlite, mysql
   type: sqlite
diff --git a/server/server.go b/server/server.go
index 2ecb889..095a6f3 100644
--- a/server/server.go
+++ b/server/server.go
@@ -55,6 +55,14 @@ func InitServer(config common.Config,
 
 	engine := gin.New()
 
+	if len(config.TrustedProxies) > 0 {
+		if e := engine.SetTrustedProxies(config.TrustedProxies); e != nil {
+			return nil, e
+		}
+	} else {
+		engine.SetTrustedProxies(nil)
+	}
+
 	engine.Use(gin.CustomRecovery(handlePanic))
 
 	if noLogRequest, _ := os.LookupEnv("NO_LOG_REQUEST"); noLogRequest == "" {