diff --git a/.gitignore b/.gitignore
index a8b5f43d6ecbb17a9e02cba431379c07f8328e8d..7c31cd38370a8dc9bc42a3500bae5efb2d25d8cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /vendor
 /.env
+.phpunit.result.cache
diff --git a/app/Config.php b/app/Config.php
index 82944d098eacc51a86d1e33ee6e85492004ed8e1..7a35722242d2fd91f2be0cf3a83ddc94fa822dcf 100644
--- a/app/Config.php
+++ b/app/Config.php
@@ -9,9 +9,12 @@ class Config extends \Riki\Config
 {
     public $logLevel = Logger::WARNING;
 
+    public $trustedProxies = [];
+
     public function __construct(Environment $environment)
     {
         parent::__construct($environment);
         $this->logLevel = Logger::toMonologLevel($this->env('LOG_LEVEL', $this->logLevel));
+        $this->trustedProxies = (array)$this->env('TRUSTED_PROXIES', $this->trustedProxies);
     }
 }
diff --git a/app/Http/Request.php b/app/Http/Request.php
index a249392cceab65a8a29338c3193ffcfa7d7a031a..2b192d2b8d3f805c6e0f788b96cd5199f7f03dcf 100644
--- a/app/Http/Request.php
+++ b/app/Http/Request.php
@@ -80,7 +80,7 @@ class Request extends ServerRequest
     /**
      * Check if the proxy is a trusted proxy.
      *
-     * Returns whether or not the direct client ip ($_SERVER['REMOTE_ADDR']) matches against one of the defined proxies
+     * Returns whether the direct client ip ($_SERVER['REMOTE_ADDR']) matches against one of the defined proxies
      * in $config->trustedProxies.
      *
      * $config->trustedProxies is an array of ip addresses, address ranges or a partial reg ex pattern.
@@ -90,9 +90,7 @@ class Request extends ServerRequest
      * $config->trustedProxies = [
      *     '192.168.0.1', // ipv4 of our reverse proxy (only one proxy)
      *     '42.42.42.64/28', // ipv4 subnet (the proxy comes from this subnet)
-     *     '42.42.42.\d+', // ipv4 reg ex matching any ip from a /24 subnet
-     *     'fe80::/64', // link local ipv6 range
-     *     'fe80:(:|(0:)+)+[0-9a-f:]+', // unsure if this works - ipv6 reg ex patterns are terrible
+     *     'fe80::/64', //  local ipv6 range
      * ];
      *```
      *
diff --git a/app/Service/IpHelper.php b/app/Service/IpHelper.php
index 6c36fad0c50bacbaa80334dec80281913d41405e..d2a4f31ec80b1f7443c90b249e2a8834d623d856 100644
--- a/app/Service/IpHelper.php
+++ b/app/Service/IpHelper.php
@@ -11,7 +11,6 @@ class IpHelper
      * - an ip address (e.g. 192.168.0.1)
      * - an ipv4 range (e.g. 10.23.0.0/16)
      * - an ipv6 range (e.g. fe80::/64)
-     * - a regular expression (e.g. 192.168.0.\d+)
      *
      * @param string $ip
      * @param string $range
@@ -19,13 +18,19 @@ class IpHelper
      */
     public static function isInRange(string $ip, string $range): bool
     {
+        // if there is no range defined we use the first 128 bit
         if (strpos($range, '/') === false) {
-            return (bool)preg_match('/' . $range . '/', $ip);
+            $net = $range;
+            $maskbits = 128;
+        } else {
+            list($net, $maskbits) = explode('/', $range);
         }
 
-        list($net, $maskbits) = explode('/', $range);
         $binaryIp = self::iptToBits($ip);
         $binaryNet = self::iptToBits($net);
+        if (strlen($binaryIp) != strlen($binaryNet)) {
+            return false;
+        }
 
         $ipNetBits = substr($binaryIp, 0, $maskbits);
         $netBits   = substr($binaryNet, 0, $maskbits);
diff --git a/tests/Unit/Service/IpHelperTest.php b/tests/Unit/Service/IpHelperTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..6795e3bff65dec2e0f041ff57100714fb453bca3
--- /dev/null
+++ b/tests/Unit/Service/IpHelperTest.php
@@ -0,0 +1,62 @@
+<?php
+
+namespace Test\Unit\Service;
+
+use App\Service\IpHelper;
+use Test\TestCase;
+
+class IpHelperTest extends TestCase
+{
+    /** @test
+     * @dataProvider ipv4Ranges */
+    public function isInRangeWorksWithIpv4Ranges(string $ip, string $range, bool $result)
+    {
+        self::assertSame($result, IpHelper::isInRange($ip, $range));
+    }
+
+    public function ipv4Ranges(): array
+    {
+        return [
+            ['192.168.0.1', '192.168.0.0/24', true],
+            ['192.172.168.12', '192.172.168.0/28', true],
+            ['192.172.168.12', '192.172.168.0/29', false],
+            ['10.192.39.29', '10.0.0.0/8', true],
+            ['127.0.1.1', '127.0.0.1/32', false],
+        ];
+    }
+
+    /** @test
+     * @dataProvider ipv6Ranges */
+    public function isInRangeWorksWithIpv6Ranges(string $ip, string $range, bool $result)
+    {
+        self::assertSame($result, IpHelper::isInRange($ip, $range));
+    }
+
+    public function ipv6Ranges(): array
+    {
+        return [
+            ['fe80::1', 'fe80::/64', true],
+            ['::1', '::1/128', true],
+            ['fe80::1', '::1/128', false],
+        ];
+    }
+
+    /** @test */
+    public function isInRangeWorksWithSingleIpAddressesInIpv4()
+    {
+        self::assertTrue(IpHelper::isInRange('192.168.0.1', '192.168.0.1'));
+    }
+
+    /** @test */
+    public function isInRangeWorksWithSingleIpAddressesInIpv6()
+    {
+        self::assertTrue(IpHelper::isInRange('fe80::1', 'fe80:0:0:0:0:0:0:1'));
+    }
+
+    /** @test */
+    public function isInRangeDoesNotMatchIpsWithDifferentProtocolVersion()
+    {
+        self::assertFalse(IpHelper::isInRange('192.168.0.1', 'c0a8:1::'));
+        self::assertFalse(IpHelper::isInRange('192.168.0.1', 'c0a8:1::/32'));
+    }
+}