hook icon indicating copy to clipboard operation
hook copied to clipboard
verified publisher icon doubleleft

Rate limit

Open lucasdupin opened this issue 10 years ago • 1 comments

It would be nice to have rate limits for collections, restricting by IPs. After n requests, the request should be dropped, for security reasons, as in a honey pot.

Suggestion: It can be declarative, in the security.yml, like this:

collections:
  auths:
    max_request_per_minute: 100

lucasdupin avatar Jan 09 '15 18:01 lucasdupin

I'll leave a quotation for further reference here:

To prevent abuse, it is standard practice to add some sort of rate limiting to an API. RFC 6585 introduced a HTTP status code 429 Too Many Requests to accommodate this.

However, it can be very useful to notify the consumer of their limits before they actually hit it. This is an area that currently lacks standards but has a number of popular conventions using HTTP response headers.

At a minimum, include the following headers (using Twitter's naming conventions as headers typically don't have mid-word capitalization):

  • X-Rate-Limit-Limit - The number of allowed requests in the current period
  • X-Rate-Limit-Remaining - The number of remaining requests in the current period
  • X-Rate-Limit-Reset - The number of seconds left in the current period

Source: http://www.vinaysahni.com/best-practices-for-a-pragmatic-restful-api

endel avatar Jan 13 '15 16:01 endel