throttler icon indicating copy to clipboard operation
throttler copied to clipboard
verified publisher icon nestjs

Add config flag to hide X-RateLimit- headers on response

Open SleepyMorpheus opened this issue 1 year ago • 2 comments

Is there an existing issue that is already proposing this?

  • [X] I have searched the existing issues

Is your feature request related to a problem? Please describe it

Throttler response with both global and local rate-limiting usages as headers after a request. We don't want to expose our rate limiting settings to users.

Describe the solution you'd like

Add a config flag to the interface (like hideHeaders) that prevents the headers from being exposed.

Teachability, documentation, adoption, migration strategy

No response

What is the motivation / use case for changing the behavior?

It does not always make sense to expose the internal state of our application to the user. True, we could remove the headers again, but having a flag is the cleaner way.

SleepyMorpheus avatar Nov 20 '24 15:11 SleepyMorpheus

I'm interested in the flag, we had an issue with an attacker who took advantage of request headers to create efficient attack patterns.

oluizcarvalho avatar Aug 23 '25 05:08 oluizcarvalho

will this get merged soon it's good security.

sam0rr avatar Dec 02 '25 04:12 sam0rr