66 // We rate limit unsuccessful (4xx/5xx statuses, excluding 404) to only 10 per 5 minutes, this
67 // should allow legitimate users a few tries to login or experiment without
68 // allowing bad-actors to abuse requests. 404s are excluded because browsers
69 // (especially Safari) automatically request favicon/apple-touch-icon paths that
70 // don't exist, and those harmless misses should not burn the rate-limit budget.
71 app.use(RateLimit({
72 windowMs: 5 * 60 * 1000,
73 max: 10,
74 skipSuccessfulRequests: true,
75 requestWasSuccessful: (req, res) => res.statusCode < 400 || res.statusCode === 404,
76 }));
It used to, but with the SPA + OIDC 401 is an expected error status, maybe some others too. I really want the LB to do ratelimiting not the app. Need some fairly lenient defaults though because I don't wanna be tuning them.
This doesn't work
It used to, but with the SPA + OIDC 401 is an expected error status, maybe some others too. I really want the LB to do ratelimiting not the app. Need some fairly lenient defaults though because I don't wanna be tuning them.