frad-me icon indicating copy to clipboard operation
frad-me copied to clipboard
verified publisher icon FradSer

improve error api rate limiting for production environments

Open FradSer opened this issue 4 months ago • 0 comments

Summary

The current WebXR error logging API uses in-memory rate limiting by IP address, which may not be optimal for production environments with load balancers and proxy configurations.

Current Implementation

  • Uses in-memory rateLimitStore object
  • Rate limits by IP address from x-forwarded-for or x-real-ip headers
  • 10 requests per 15 minutes per IP

Issues

  • In-memory storage doesn't persist across server restarts
  • IP-based limiting may have false positives with NAT/corporate proxies
  • Load balancers may cause issues with IP detection
  • IPv6 compatibility not fully addressed

Proposed Solutions

  1. Production Storage: Implement Redis-based rate limiting for persistence
  2. Enhanced Rate Limiting: Use hash of IP + User-Agent for better client identification
  3. IPv6 Support: Improve IP parsing for IPv6 addresses
  4. Proxy Chain Validation: Better handling of forwarded headers

Implementation

// Enhanced rate limiting key
const rateLimitKey = createHash('sha256')
  .update(`${clientIp}:${request.headers.get('user-agent') || ''}`)
  .digest('hex')
  .substring(0, 16)

Files to Update

  • app/api/errors/route.ts
  • Consider adding Redis client configuration
  • Update rate limiting logic

Priority

Medium - Affects production scalability but current implementation works for MVP

FradSer avatar Aug 09 '25 16:08 FradSer