fix(rate-limiting): enable by default with explicit opt-out flag (#808)#954
Open
fathiaoyinloye wants to merge 1 commit into
Open
fix(rate-limiting): enable by default with explicit opt-out flag (#808)#954fathiaoyinloye wants to merge 1 commit into
fathiaoyinloye wants to merge 1 commit into
Conversation
…afcode#808) - Flip rate limiting default: import RateLimitingModule unless DISABLE_RATE_LIMITING=true - Add startup warning when rate limiting is explicitly disabled - Update CI environment to ensure DISABLE_RATE_LIMITING is not set - Add DISABLE_RATE_LIMITING to environment validation schema - Update .env.example and .env.staging to use new opt-out flag format - Add e2e tests verifying rate-limited endpoints return 429 responses This addresses security concerns where rate limiting was silently disabled in production if ENABLE_RATE_LIMITING env var was absent or false, exposing the API to DoS and credential-stuffing attacks.
|
@fathiaoyinloye Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
Contributor
|
Great job so far There’s just one blocker — merge conflict. Could you take a look and resolve it? Happy to review again once that’s done. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #808
Summary
DISABLE_RATE_LIMITING=true.429 Too Many Requests.Type of change
Testing
DISABLE_RATE_LIMITING.DISABLE_RATE_LIMITING=true.429 Too Many Requests.DISABLE_RATE_LIMITING, allowing the secure default behavior.Security Impact
Previously, rate limiting depended on
ENABLE_RATE_LIMITING=true. If the variable was omitted or set tofalse, the rate-limiting layer was silently disabled, increasing exposure to denial-of-service (DoS) and credential-stuffing attacks.This change makes rate limiting secure by default, requiring an explicit
DISABLE_RATE_LIMITING=trueopt-out while providing a startup warning whenever protection is intentionally disabled.