modelcontextprotocol · jerome3o-anthropic · Mar 17, 2026 · Jan 20, 2026 · Mar 17, 2026
diff --git a/src/index.ts b/src/index.ts
@@ -44,6 +44,10 @@ async function main() {
 
   const app = express();
 
+  // Trust proxy headers (X-Forwarded-For, etc.) when behind reverse proxy (Cloudflare, etc.)
+  // This is required for rate limiting to work correctly with real client IPs
+  app.set('trust proxy', true);
+
   // Basic middleware
   // Intentionally permissive CORS for public MCP reference server
   // This allows any MCP client to test against this reference implementation
@@ -188,7 +192,7 @@ async function main() {
   // Rate limiter for splash page (moderate limit)
   const splashPageLimiter = rateLimit({
     windowMs: 60 * 1000, // 1 minute
-    max: 50, // 50 requests per minute
+    max: 200, // 200 requests per minute
     message: 'Too many requests to splash page',
     standardHeaders: true,
     legacyHeaders: false,

diff --git a/src/modules/auth/index.ts b/src/modules/auth/index.ts
@@ -77,15 +77,15 @@ export class AuthModule {
     // Rate limiters for different route types
     const authLimiter = rateLimit({
       windowMs: 60 * 1000, // 1 minute
-      max: 20, // 20 requests per minute for auth endpoints
+      max: 200, // 200 requests per minute for auth endpoints
       message: 'Too many authentication attempts',
       standardHeaders: true,
       legacyHeaders: false,
     });
 
     const staticAssetLimiter = rateLimit({
       windowMs: 60 * 1000, // 1 minute
-      max: 100, // 100 requests per minute for static assets
+      max: 500, // 500 requests per minute for static assets
       message: 'Too many requests for static assets',
       standardHeaders: true,
       legacyHeaders: false,
@@ -96,10 +96,10 @@ export class AuthModule {
       provider: this.provider,
       issuerUrl: new URL(this.config.authServerUrl || this.config.baseUri),
       tokenOptions: {
-        rateLimit: { windowMs: 5000, limit: 100 }
+        rateLimit: { windowMs: 5000, limit: 300 } // 300 requests per 5 seconds
       },
       clientRegistrationOptions: {
-        rateLimit: { windowMs: 60000, limit: 10 }
+        rateLimit: { windowMs: 60000, limit: 60 } // 60 requests per minute
       }
     }));
 

diff --git a/src/modules/mcp/index.ts b/src/modules/mcp/index.ts
@@ -51,7 +51,7 @@ export class MCPModule {
     // Rate limiter for static assets
     const staticAssetLimiter = rateLimit({
       windowMs: 60 * 1000, // 1 minute
-      max: 100, // 100 requests per minute for static assets
+      max: 500, // 500 requests per minute for static assets
       message: 'Too many requests for static assets',
       standardHeaders: true,
       legacyHeaders: false,