Skip to content

Fix ratelimiting #403

Description

@runleveldev

This doesn't work

    66    // We rate limit unsuccessful (4xx/5xx statuses, excluding 404) to only 10 per 5 minutes, this
    67    // should allow legitimate users a few tries to login or experiment without
    68    // allowing bad-actors to abuse requests. 404s are excluded because browsers
    69    // (especially Safari) automatically request favicon/apple-touch-icon paths that
    70    // don't exist, and those harmless misses should not burn the rate-limit budget.
    71    app.use(RateLimit({
    72      windowMs: 5 * 60 * 1000,
    73      max: 10,
    74      skipSuccessfulRequests: true,
    75      requestWasSuccessful: (req, res) => res.statusCode < 400 || res.statusCode === 404,
    76    }));

It used to, but with the SPA + OIDC 401 is an expected error status, maybe some others too. I really want the LB to do ratelimiting not the app. Need some fairly lenient defaults though because I don't wanna be tuning them.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions