about summary refs log tree commit diff
path: root/config/initializers/rack_attack.rb
AgeCommit message (Collapse)Author
2020-01-15update `rack_attack` configmultiple creatures
2019-11-26fix breaking typomultiple creatures
2019-11-19Fix undefined method error (#10868)Hinaloe
2019-11-19Fix undefined method error. (#10867)mayaeh
2019-11-19Improve rate limiting (#10860)ThibG
* Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 seconds
2019-09-06raise authenticated api limitmultiple creatures
2019-09-01bump up authenticated media api req limitmultiple creatures
2019-08-15relax the the media proxy rate limit when logged in (now with 300% more ↵multiple creatures
relaxation)
2019-08-04allow more media proxy requests when logged inmultiple creatures
2019-08-04update `rack_attack` config from `glitch-soc`multiple creatures
2019-04-07Add rate limit for media proxy requests (#10490)Eugen Rochko
30 per 30 minutes, like media uploads
2019-02-14Add tight rate-limit for API deletions (#10042)Eugen Rochko
Deletions take a lot of resources to execute and cause a lot of federation traffic, so it makes sense to decrease the number someone can queue up through the API. 30 per 30 minutes
2018-12-24Add REST API for creating an account (#9572)Eugen Rochko
* Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
2018-10-04lint pass 2 (#8878)aus-social
* Code quality pass * Typofix * Update applications_controller_spec.rb * Update applications_controller_spec.rb
2018-05-03Add a missing question mark in rack_attack.rb (#7338)Akihiko Odaki
2018-05-03Throttle media post (#7337)Akihiko Odaki
The previous rate limit allowed to post media so fast that it is possible to fill up the disk space even before an administrator notices. The new rate limit is configured so that it takes 24 hours to eat 10 gigabytes: 10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30) The period is set long so that it does not prevent from attaching several media to one post, which would happen in a short period. For example, if the period is 5 minutes, the rate limit would be: 10 * 1024 / 8 / (24 * 60 / 5) = 4 This long period allows to lift the limit up.
2018-01-09Increase rate limit on protected paths (#6229)Eugen Rochko
Previously each protected path had a separate rate limit. Now they're all in the same bucket, so people are more likely to hit one with register->login. Increasing to 25 per 5 minutes should be fine.
2017-12-11Apply a 25x rate limit by IP even to authenticated requests (#5948)Eugen Rochko
2017-12-09Missing require 'authorization_decorator'. (#5947)Naoki Kosaka
2017-12-09Rate limit by user instead of IP when API user is authenticated (#5923)Eugen Rochko
* Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper
2017-08-08Add Content-Type header on throttled response to fix mojibake (#4558)unarist
application/json only allows Unicode, so this prevents from wrong charset detection.
2017-05-03Localize 'throttled' (#2755)alpaca-tc
2017-04-30allow localhost to bypass the ratelimit (#2554)Tristan Mahé
2017-04-18Add rate limits for logins and sign-ups by IP (5 in 5 minutes) (#2079)Eugen
* Add rate limits for logins and sign-ups by IP (5 in 5 minutes) Should be enough for normal attempts * Add rate limit for forgotten password form as well