diff --git a/backend/src/app.js b/backend/src/app.js
index 715fb5d..5476f75 100644
--- a/backend/src/app.js
+++ b/backend/src/app.js
@@ -8,6 +8,10 @@ const { apiLimiter } = require('./middleware/rateLimiter');
 
 const app = express();
 
+// Trust proxy - Required for correct IP detection behind nginx/load balancer
+// This allows Express to read X-Forwarded-For and X-Real-IP headers
+app.set('trust proxy', 1);
+
 // Security Headers (helmet)
 app.use(helmet({
   contentSecurityPolicy: {
@@ -110,6 +114,20 @@ app.get('/api/health', (req, res) => {
   });
 });
 
+// IP check endpoint (for debugging - remove in production)
+app.get('/api/debug/ip', (req, res) => {
+  const { getClientIP } = require('./utils/request');
+  res.json({
+    clientIP: getClientIP(req),
+    headers: {
+      'x-forwarded-for': req.headers['x-forwarded-for'],
+      'x-real-ip': req.headers['x-real-ip'],
+    },
+    expressIP: req.ip,
+    socketIP: req.connection?.remoteAddress,
+  });
+});
+
 // Apply rate limiting to all API routes
 app.use('/api/', apiLimiter);