If you are running behind a proxy like NGiNX or what have you, only then you should check for 'x-forwarded-for'
:
var ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress
If the proxy isn’t ‘yours’, I wouldn’t trust the 'x-forwarded-for'
header, because it can be spoofed.