diff --git a/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee b/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
index 6874cbe43d..c52aa9b454 100644
--- a/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
+++ b/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
@@ -11,13 +11,13 @@ module.exports =
 	requestReset: (req, res)->
 		email = req.body.email.trim().toLowerCase()
 		opts = 
-			endpointName:"auto_compile"
-			timeInterval:60
-			subjectName:email
-			throttle: 3
+			endpointName: "password_reset_rate_limit"
+			timeInterval: 60
+			subjectName: req.ip
+			throttle: 6
 		RateLimiter.addCount opts, (err, canCompile)->
 			if !canCompile
-				return res.send 500
+				return res.send 500, { message: "Rate limit hit. Please wait a while before retrying" }
 			PasswordResetHandler.generateAndEmailResetToken email, (err)->
 				if err?
 					res.send 500, {message:err?.message}
diff --git a/services/web/app/coffee/infrastructure/Server.coffee b/services/web/app/coffee/infrastructure/Server.coffee
index 22600b4e39..5290a65233 100644
--- a/services/web/app/coffee/infrastructure/Server.coffee
+++ b/services/web/app/coffee/infrastructure/Server.coffee
@@ -37,14 +37,16 @@ ignoreCsrfRoutes = []
 app.ignoreCsrf = (method, route) ->
 	ignoreCsrfRoutes.push new express.Route(method, route)
 
-app.configure ()->
+app.configure () ->
+	if Settings.behindProxy
+		app.enable('trust proxy')
 	app.use express.static(__dirname + '/../../../public', {maxAge: staticCacheAge })
 	app.set 'views', __dirname + '/../../views'
 	app.set 'view engine', 'jade'
 	app.use express.bodyParser(uploadDir: Settings.path.uploadFolder)
 	app.use cookieParser
 	app.use express.session
-		proxy: true
+		proxy: Settings.behindProxy
 		cookie:
 			maxAge: cookieSessionLength
 			secure: Settings.secureCookie
diff --git a/services/web/app/coffee/router.coffee b/services/web/app/coffee/router.coffee
index 0a0b931227..287ba8e4c8 100644
--- a/services/web/app/coffee/router.coffee
+++ b/services/web/app/coffee/router.coffee
@@ -189,6 +189,13 @@ module.exports = class Router
 				userCanSeeDropbox: true
 				languages: []
 
+		app.get "/ip", (req, res, next) ->
+			res.send({
+				ip: req.ip
+				ips: req.ips
+				headers: req.headers
+			})
+
 		app.get '/oops-express', (req, res, next) -> next(new Error("Test error"))
 		app.get '/oops-internal', (req, res, next) -> throw new Error("Test error")
 		app.get '/oops-mongo', (req, res, next) ->
diff --git a/services/web/config/settings.defaults.coffee b/services/web/config/settings.defaults.coffee
index 8febb274b4..77ffb73793 100644
--- a/services/web/config/settings.defaults.coffee
+++ b/services/web/config/settings.defaults.coffee
@@ -191,6 +191,11 @@ module.exports =
 	# cookie with a secure flag (recommended).
 	secureCookie: false
 
+	# If you are running ShareLaTeX behind a proxy (like Apache, Nginx, etc)
+	# then set this to true to allow it to correctly detect the forwarded IP
+	# address and http/https protocol information.
+	behindProxy: false
+
 	# Internal configs
 	# ----------------
 	path: