diff --git a/app/api/routes.py b/app/api/routes.py
index 0deb05b..7013d59 100644
--- a/app/api/routes.py
+++ b/app/api/routes.py
@@ -600,12 +600,20 @@ def require_auth() -> Response | None:
 
 
 def is_trusted_proxy() -> bool:
-    """Verify request comes from trusted reverse proxy via shared secret."""
+    """Verify request comes from trusted reverse proxy via shared secret.
+
+    Result is cached per-request in Flask's g object for efficiency.
+    """
+    if hasattr(g, "_trusted_proxy"):
+        return g._trusted_proxy
+
     expected = current_app.config.get("TRUSTED_PROXY_SECRET", "")
     if not expected:
+        g._trusted_proxy = True
         return True
     provided = request.headers.get("X-Proxy-Secret", "")
-    return hmac.compare_digest(expected, provided)
+    g._trusted_proxy = hmac.compare_digest(expected, provided)
+    return g._trusted_proxy
 
 
 def get_client_fingerprint() -> str | None: