Skip to content

security: rate-limit POST /api/report-question to 30 requests/hour per IP#534

Open
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/rate-limit-report-question
Open

security: rate-limit POST /api/report-question to 30 requests/hour per IP#534
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/rate-limit-report-question

Conversation

@xpoes123

@xpoes123 xpoes123 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

POST /api/report-question had no rate limiting, making it trivial to flood the database with spurious reports.

Problem

routes/api/report-question.js accepted an unlimited number of POST requests per IP. An automated client could generate thousands of bogus reports at no cost, polluting the moderation queue and adding unbounded write load to the database.

Changes

  • Adds express-rate-limit (already a project dependency) to routes/api/report-question.js.
  • Limits each IP to 30 requests per hour; uses standardHeaders: true and legacyHeaders: false, matching the pattern already used in routes/auth/index.js.

Risk & testing

Rate limiting is applied at the router level before the handler, so legitimate users are unaffected at normal usage volumes. No new dependencies introduced. semistandard and node --check pass.

@xpoes123 xpoes123 changed the title security: rate-limit the report-question endpoint security: rate-limit POST /api/report-question to 30 requests/hour per IP Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant