First of all, thank you for this project. I am using it. but there is HUGE security issue.
When I was testing my application, I by-passed throttle successfully and logged in after brute-force attack!

You are getting client ip address from X-Forwarded-For and this header can be manipulated. so I changed my IP address where in x-forward-for, for every throttle limit.
Problem caused by HttpRequestExtensions.cs

be safe.

The HUGE risk is when you don't configure your reverse proxy to set that header, eg nginx proxy_set_header.

You can also implement your own client IP fetch logic here https://github.com/stefanprodan/WebApiThrottle#custom-ip-address-parsing

Then you should warn people, "Configure your reverse proxy because we are reading IP from client."