From ed7379a251a968c229755243fc854a8270048058 Mon Sep 17 00:00:00 2001 From: xpoes123 Date: Mon, 29 Jun 2026 23:41:14 -0400 Subject: [PATCH] security: rate-limit the report-question endpoint --- routes/api/report-question.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/routes/api/report-question.js b/routes/api/report-question.js index ea3daefd4..d6635c2cf 100644 --- a/routes/api/report-question.js +++ b/routes/api/report-question.js @@ -2,8 +2,15 @@ import { ObjectId } from 'mongodb'; import reportQuestion from '../../database/qbreader/report-question.js'; import { Router } from 'express'; +import rateLimit from 'express-rate-limit'; const router = Router(); +router.use(rateLimit({ + windowMs: 60 * 60 * 1000, // 1 hour + max: 30, // Limit each IP to 30 requests per window + standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers + legacyHeaders: false // Disable the `X-RateLimit-*` headers +})); router.post('/', async (req, res) => { let _id;