When an application is fronted by a proxy like Cloudflare, the connecting socket address will be in Cloudflare's CIDR ranges. We support filtering these via the proxies configuration on our SDK, but then we don't have the connecting client's IP. Cloudflare will attach the client IP as cf-connecting-ip, so we could map back to that; however, we can't do this for all users because we don't know their specific proxy setup.

Perhaps we could expand the proxy configuration to allow re-mapping of headers, such as:

arcjet({
  // ... config
  proxies: {
    "cf-connecting-ip": [
      // Cloudflare CIDR ranges
    ]
  }
})