diff --git a/lib/index.js b/lib/index.js
index 8c806bd..26eb086 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -22,6 +22,10 @@ const enforceHTTPS = Boolean(process.env.ENFORCE_HTTPS)
 
 const app = express()
 const appLogger = createAppLogger({ dev: isDevelopment })
+const limiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 10,
+})
 
 // Force app to always redirect to HTTPS
 // use when you can't configure web server
@@ -34,6 +38,7 @@ app.use(createRouteLogger({ dev: isDevelopment }))
 
 app.set('view engine', 'ejs')
 app.set('views', path.join(__dirname, 'views'))
+app.set('trust proxy', 1)
 
 app.use(express.static(path.join(__dirname, 'public')))
 app.use(favicon(path.join(__dirname, 'public', 'favicon.ico')))
@@ -66,8 +71,8 @@ app.get('*', (req, res) => {
   res.status(400).render('404')
 })
 
+app.use('/download', limiter)
 app.use('/download', checkURLParameter)
-app.use('/download', rateLimit())
 app.post('/download', async (req, res, next) => {
   try {
     const { url } = req.body