Skip to content

feat: add rate limiting to API endpoints to mitigate abuse and Dos#1282

Open
dataCenter430 wants to merge 1 commit intoeigent-ai:mainfrom
dataCenter430:add-rate-limiting
Open

feat: add rate limiting to API endpoints to mitigate abuse and Dos#1282
dataCenter430 wants to merge 1 commit intoeigent-ai:mainfrom
dataCenter430:add-rate-limiting

Conversation

@dataCenter430
Copy link

@dataCenter430 dataCenter430 commented Feb 16, 2026

Related Issue

Rate limiting – endpoints not rate-limited, increasing abuse and DoS risk.

Closes #1260

Description

Rate limiting is implemented for both the server and backend FastAPI apps using slowapi.

Changes

server/pyproject.toml Added slowapi>=0.1.9
backend/pyproject.toml Added slowapi>=0.1.9
server/app/rate_limit.py New rate limiting module
backend/app/rate_limit.py New rate limiting module
server/app/middleware/__init__.py Calls setup_rate_limiting(api)
backend/app/__init__.py Calls setup_rate_limiting(api)
server/app/controller/health_controller.py Added @limiter.exempt on health endpoint
backend/app/controller/health_controller.py Added @limiter.exempt on health endpoint
server/.env.example Added RATE_LIMIT_ENABLED, RATE_LIMIT_DEFAULT

Behavior

  • Global limit: 100 requests per minute per IP (configurable via RATE_LIMIT_DEFAULT)
  • Health endpoints (/health) exempted for health checks and load balancers
  • Can be disabled with RATE_LIMIT_ENABLED=false
  • Uses in-memory storage by default; SlowAPI also supports Redis for multi-instance deployments
  • Returns HTTP 429 when limits are exceeded

Why it's better

  • Abuse risk:
    • Before: Endpoints could be hit without limits
    • After: Requests per IP capped (default 100/min)
  • DoS resilience:
    • Before: No protection against flood attacks
    • After: Traffic above limit rejected with 429
  • Health checks
    • before: N/A
    • after: Exempt, so orchestration and monitoring stay reliable
  • Configurability
    • before: N/A
    • after: Limits tunable via RATE_LIMIT_DEFAULT (e.g. 200/minute)
  • Operational control
    • before: N/A
    • after: Can turn off with RATE_LIMIT_ENABLED=false if needed

To install dependencies and try it

cd server && uv sync # or: pip install slowapi
cd backend && uv sync # or: pip install slowapi

What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Contribution Guidelines Acknowledgement

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] Architecture and UX Improvement

1 participant

@dataCenter430