Skip to content

fix(rate-limiting): enable by default with explicit opt-out flag (#808)#954

Open
fathiaoyinloye wants to merge 1 commit into
rinafcode:mainfrom
fathiaoyinloye:fix/rate-limiting-opt-out-default-808
Open

fix(rate-limiting): enable by default with explicit opt-out flag (#808)#954
fathiaoyinloye wants to merge 1 commit into
rinafcode:mainfrom
fathiaoyinloye:fix/rate-limiting-opt-out-default-808

Conversation

@fathiaoyinloye

Copy link
Copy Markdown

closes #808

Summary

  • Flip the rate-limiting feature flag to an explicit opt-out by enabling rate limiting by default and only disabling it when DISABLE_RATE_LIMITING=true.
  • Add a startup warning when rate limiting is explicitly disabled, update environment validation and example environment files, ensure CI relies on the secure default, and add E2E tests verifying rate-limited endpoints return 429 Too Many Requests.

Type of change

  • Bug fix
  • New feature / functionality
  • Refactor (no functional change)
  • Documentation only
  • Contract storage / upgrade change

Testing

  • Updated environment validation to support DISABLE_RATE_LIMITING.
  • Verified rate limiting is enabled by default when no environment variable is set.
  • Verified a startup warning is logged when DISABLE_RATE_LIMITING=true.
  • Added E2E tests confirming rate-limited endpoints return 429 Too Many Requests.
  • Confirmed CI configuration does not set DISABLE_RATE_LIMITING, allowing the secure default behavior.

Security Impact

Previously, rate limiting depended on ENABLE_RATE_LIMITING=true. If the variable was omitted or set to false, the rate-limiting layer was silently disabled, increasing exposure to denial-of-service (DoS) and credential-stuffing attacks.

This change makes rate limiting secure by default, requiring an explicit DISABLE_RATE_LIMITING=true opt-out while providing a startup warning whenever protection is intentionally disabled.

…afcode#808)

- Flip rate limiting default: import RateLimitingModule unless DISABLE_RATE_LIMITING=true
- Add startup warning when rate limiting is explicitly disabled
- Update CI environment to ensure DISABLE_RATE_LIMITING is not set
- Add DISABLE_RATE_LIMITING to environment validation schema
- Update .env.example and .env.staging to use new opt-out flag format
- Add e2e tests verifying rate-limited endpoints return 429 responses

This addresses security concerns where rate limiting was silently disabled
in production if ENABLE_RATE_LIMITING env var was absent or false, exposing
the API to DoS and credential-stuffing attacks.
@drips-wave

drips-wave Bot commented Jun 30, 2026

Copy link
Copy Markdown

@fathiaoyinloye Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@RUKAYAT-CODER

Copy link
Copy Markdown
Contributor

Great job so far

There’s just one blocker — merge conflict. Could you take a look and resolve it?

Happy to review again once that’s done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Rate limiting module is feature-flagged off and may not activate in production

2 participants