updated to handle proxies correctly

.env.example

@@ -33,6 +33,8 @@ SESSION_ENCRYPT=false
 SESSION_PATH=/
 SESSION_DOMAIN=null
 
+TRUSTED_PROXIES=127.0.0.1,::1
+
 BROADCAST_CONNECTION=log
 FILESYSTEM_DISK=local
 QUEUE_CONNECTION=database

bootstrap/app.php

@@ -11,6 +11,8 @@ return Application::configure(basePath: dirname(__DIR__))
         health: '/up',
     )
     ->withMiddleware(function (Middleware $middleware): void {
+        $proxies = config('app.trusted_proxies');
+        $middleware->trustProxies(at: $proxies === '*' ? '*' : array_map('trim', explode(',', $proxies)));
         $middleware->web(append: [
             \App\Http\Middleware\AddContentSecurityPolicy::class,
         ]);

config/app.php

@@ -123,4 +123,19 @@ return [
         'store' => env('APP_MAINTENANCE_STORE', 'database'),
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Trusted Proxies
+    |--------------------------------------------------------------------------
+    |
+    | Set the IP addresses or CIDR ranges of proxies to trust for forwarded
+    | headers (X-Forwarded-Proto, X-Forwarded-For, etc). Use comma-separated
+    | values for multiple proxies, or '*' to trust all proxies.
+    |
+    | Examples: '127.0.0.1,::1', '10.0.0.0/8', '192.168.1.1', '*'
+    |
+    */
+
+    'trusted_proxies' => env('TRUSTED_PROXIES', '127.0.0.1,::1'),
+
 ];