diff --git a/server/index.js b/server/index.js
index 8f319c8..86452b6 100644
--- a/server/index.js
+++ b/server/index.js
@@ -21,7 +21,8 @@ const { apiDebugMiddleware } = require('./utils/apiDebugLogger');
 const app = express();
 
 // Trust proxy headers for getting real client IPs behind nginx
-app.set('trust proxy', true);
+// Trust only the first proxy (nginx) for security
+app.set('trust proxy', 1);
 
 const server = createServer(app);
 const io = new Server(server, {
@@ -40,10 +41,19 @@ const limiter = rateLimit({
   windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS) || 15 * 60 * 1000, // 15 minutes
   max: parseInt(process.env.RATE_LIMIT_MAX_REQUESTS) || 1000, // Increased from 100 to 1000
   message: 'Too many requests from this IP, please try again later.',
+  // Custom key generator to handle proxy headers properly
+  keyGenerator: (req) => {
+    // Get the real IP from proxy headers, with fallback
+    return req.ip || req.connection.remoteAddress || 'unknown';
+  },
   skip: (req) => {
     // Skip rate limiting for drone detection endpoints during testing
     return req.path.includes('/detections') || req.path.includes('/detectors');
-  }
+  },
+  // Skip failed requests (don't count them against the limit)
+  skipFailedRequests: true,
+  // Skip successful requests (only count errors/abuse)
+  skipSuccessfulRequests: false
 });
 
 // Middleware