diff --git a/docs/content/docs/reference/security.mdx b/docs/content/docs/reference/security.mdx
index 77d6f0a119..3c8fd3520c 100644
--- a/docs/content/docs/reference/security.mdx
+++ b/docs/content/docs/reference/security.mdx
@@ -100,7 +100,12 @@ You can configure the IP address header in your Better Auth configuration:
 
 This ensures that Better Auth only accepts IP addresses from your trusted proxy's header, making it more difficult for attackers to bypass rate limiting or other IP-based security measures by spoofing headers.
 
-> **Important**: When setting a custom IP address header, ensure that your proxy or load balancer is properly configured to set this header, and that it cannot be set by end users directly.
+<Callout type="info">
+**Important**
+
+- When setting a custom IP address header, ensure that your proxy or load balancer is properly configured to set this header, and that it cannot be set by end users directly.
+- In dev/test environments, if the IP cannot be retrieved from headers, 127.0.0.1 is used as a fallback.
+</Callout>
 
 ## Trusted Origins
 
diff --git a/packages/better-auth/src/utils/get-request-ip.ts b/packages/better-auth/src/utils/get-request-ip.ts
index 020a6b4ed0..e9d9b28af7 100644
--- a/packages/better-auth/src/utils/get-request-ip.ts
+++ b/packages/better-auth/src/utils/get-request-ip.ts
@@ -13,10 +13,6 @@ export function getIp(
 		return null;
 	}
 
-	if (isTest() || isDevelopment()) {
-		return LOCALHOST_IP;
-	}
-
 	const headers = "headers" in req ? req.headers : req;
 
 	const defaultHeaders = ["x-forwarded-for"];
@@ -33,6 +29,12 @@ export function getIp(
 			}
 		}
 	}
+
+	// Fallback to localhost IP in development/test environments when no IP found in headers
+	if (isTest() || isDevelopment()) {
+		return LOCALHOST_IP;
+	}
+
 	return null;
 }