From 60179030f22af31add2595922be612d766bfe153 Mon Sep 17 00:00:00 2001 From: vinckr Date: Wed, 30 Oct 2024 20:49:22 +0100 Subject: [PATCH] chore: implement styleguide --- docs/guides/rate-limits.mdx | 232 ++++++++++++++++-------------------- 1 file changed, 104 insertions(+), 128 deletions(-) diff --git a/docs/guides/rate-limits.mdx b/docs/guides/rate-limits.mdx index 2eefdb2a6..b83314bf0 100644 --- a/docs/guides/rate-limits.mdx +++ b/docs/guides/rate-limits.mdx @@ -1,103 +1,94 @@ --- id: rate-limits -title: Understanding Ory Network Rate Limiting -sidebar_label: Rate Limits +title: Understand Ory Network rate limiting +sidebar_label: Rate limits --- -This page provides a high-level overview of the rate limiting mechanisms employed by Ory to ensure system security and -availability. Rate limiting is crucial for protecting your applications against abuse and attacks, preventing service disruptions, -and ensuring fair usage for all our customers. - -## Types of Rate Limits - -Ory implements two main types of rate limits: - -1. [**Project Rate Limits in Workspaces**](#project-rate-limits-in-workspaces): These limits are determined by your Ory - subscription plan and project environment. They define the maximum number of requests your projects can make to Ory's APIs - within a given timeframe. This ensures fair resource allocation across all Ory projects. - 1. These limits are applied at the project level, meaning all requests originating from a specific project contribute to the - rate limit counter for that project. - 2. Project Rate Limits are defined in terms of:
**Burst Limit:** This governs the maximum number of requests allowed per - second, accommodating temporary spikes in traffic.
**Sustained Limit:** This sets the maximum request count over a - one-minute period, ensuring consistent and fair usage. -2. [**Endpoint-Based Rate Limits**](#endpoint-based-rate-limits): These limits focus on safeguarding specific endpoints of your - Ory projects against common attack vectors like brute-force and credential stuffing attempts. They typically consider factors - like source IP address and request frequency to identify and mitigate malicious activity. - 1. Endpoint-based rate limits act as a first line of defense for your project endpoints. These limits often leverage the source - IP address as a key criterion, allowing Ory to identify and block requests originating from suspicious or malicious sources. +This page provides a high level overview of the rate limiting mechanisms employed by Ory to ensure system security and +availability. Rate limiting is important to protect your applications against abuse and attacks, prevent service disruptions, and +ensure fair usage for all our customers. + +## Types of rate limits + +Ory implements two main rate limits: + +1. Project rate limits in Workspaces: These limits are determined by your Ory subscription plan and project environment. They + define the maximum number of requests your projects can make to Ory's APIs within a given timeframe. This ensures fair resource + allocation across all Ory projects. + 1. These limits are applied at the project level, meaning all requests from a specific project contribute to the rate limit + counter for that project. + 2. Project rate limits are defined in terms of: + - Burst limit: This governs the maximum number of requests allowed per second for temporary spikes in traffic. + - Sustained limit: This sets the maximum request count over one minute, ensuring consistent and fair usage. +2. Endpoint based rate limits: These limits focus on safeguarding specific endpoints of your Ory projects against common attack + vectors like brute-force and credential stuffing attempts. They typically consider factors like source IP address and request + frequency to identify and mitigate malicious activity. + 1. Endpoint-based rate limits act as a first line of defense for your project endpoints. These limits often use the source IP + address as a key criterion, allowing Ory to identify and block requests from suspicious or malicious sources. 2. By analyzing request patterns and incorporating factors like source IP, Ory can effectively differentiate between legitimate user traffic and potentially harmful bot activity. -## Benefits of Rate Limiting - -- **Enhanced Security:** Rate limits help prevent attacks like brute-force and credential stuffing by restricting the number of - attempts from a single source within a specific timeframe. -- **Improved Stability:** By limiting excessive requests, rate limiting protects your application from overload and potential - downtime. -- **Fair Usage:** Project-based rate limits ensure fair resource allocation and prevent any single project from monopolizing - shared resources. - -## Project Rate Limits in Workspaces +## Project rate limits in workspaces With the introduction of Workspaces in Ory Network, rate limits are now applied to projects based on their assigned environment and the Workspace's subscription plan. This approach ensures fair resource allocation and maintains the stability of the Ory Network across different usage scenarios. -### How Project Rate Limits Work in Workspaces +### How project rate limits work in workspaces Rate limits for each project are determined by two main factors: -1. **Workspace Subscription**: Your subscription plan (Developer, Production, Growth, or Enterprise) sets the baseline for your - rate limits. -2. **Project Environment**: Within each Workspace, projects can be assigned to Production, Staging, or Development environments, - each with specific rate limit configurations. +1. Workspace subscription: Your subscription plan (Developer, Production, Growth, or Enterprise) sets the baseline for your rate + limits. +2. Project environment: Within each Workspace, projects can be assigned to Production, Staging, or Development environments, each + with specific rate limit configurations. For a detailed explanation of Workspaces and Environments, please refer to our [Workspaces and Environments guide](/docs/guides/workspaces). -### Rate Limit Structure +### Rate limit structure -Each rate limit policy includes two types of limits: +Each rate limit policy includes two limits: -1. **Burst Limit**: Maximum requests per second (rps), allowing for short traffic spikes. -2. **Sustained Limit**: Maximum requests per minute (rpm), ensuring consistent performance over time. +1. Burst limit: Maximum requests per second (rps), allowing for short traffic spikes. +2. Sustained limit: Maximum requests per minute (rpm), ensuring consistent performance over time. -### Determining Your Project's Rate Limits +### Determine your project's rate limits To identify the rate limits that apply to your project: 1. Check your Workspace subscription plan (Developer, Production, Growth, or Enterprise). 2. Identify the environment (Production, Staging, or Development) assigned to your project. -3. Refer to the appropriate table below based on your subscription plan and project environment. +3. Refer to the tables below based on your subscription plan and project environment. -### Rate Limit Tables by Subscription Plan +### Rate limit tables by subscription plan -#### Developer Plan Rate Limits +#### Developer plan rate limits -| Environment | Path / Bucket | Burst (rps) | Sustained (rpm) | -| :------------ | :------------------------- | ----------: | --------------: | -| **Developer** | `/sessions/whoami` | 10 | 300 | -| | `/admin/oauth2/introspect` | 10 | 300 | -| | `/relation-tuples/check` | 10 | 300 | -| | `GET /admin/identities` | 1 | 10 | -| | `*` | 5 | 150 | +| Environment | Path / Bucket | Burst (rps) | Sustained (rpm) | +| :---------- | :------------------------- | ----------: | --------------: | +| Developer | `/sessions/whoami` | 10 | 300 | +| | `/admin/oauth2/introspect` | 10 | 300 | +| | `/relation-tuples/check` | 10 | 300 | +| | `GET /admin/identities` | 1 | 10 | +| | `*` | 5 | 150 | Note: For Developer plans, all environments (Production, Staging, Development) use the same rate limits. -#### Production Plan Rate Limits - -| Environment | Path / Bucket | Burst (rps) | Sustained (rpm) | -| :---------------------------- | :------------------------- | ----------: | --------------: | -| **Production** | `/sessions/whoami` | 80 | 1800 | -| | `/admin/oauth2/introspect` | 80 | 1800 | -| | `/relation-tuples/check` | 80 | 1800 | -| | `GET /admin/identities` | 10 | 300 | -| | `*` | 40 | 900 | -| **Staging** & **Development** | `/sessions/whoami` | 10 | 30 | -| | `/admin/oauth2/introspect` | 10 | 300 | -| | `/relation-tuples/check` | 10 | 300 | -| | `GET /admin/identities` | 1 | 10 | -| | `*` | 5 | 150 | +#### Production plan rate limits + +| Environment | Path / Bucket | Burst (rps) | Sustained (rpm) | +| :-------------------- | :------------------------- | ----------: | --------------: | +| Production | `/sessions/whoami` | 80 | 1800 | +| | `/admin/oauth2/introspect` | 80 | 1800 | +| | `/relation-tuples/check` | 80 | 1800 | +| | `GET /admin/identities` | 10 | 300 | +| | `*` | 40 | 900 | +| Staging & Development | `/sessions/whoami` | 10 | 30 | +| | `/admin/oauth2/introspect` | 10 | 300 | +| | `/relation-tuples/check` | 10 | 300 | +| | `GET /admin/identities` | 1 | 10 | +| | `*` | 5 | 150 | :::note @@ -105,20 +96,20 @@ Note: These rate limits also apply to the Legacy `Essential` plan. ::: -#### Growth Plan Rate Limits - -| Environment | Path / Bucket | Burst (rps) | Sustained (rpm) | -| :---------------------------- | :------------------------- | ----------: | --------------: | -| **Production** | `/sessions/whoami` | 800 | 18000 | -| | `/admin/oauth2/introspect` | 800 | 18000 | -| | `/relation-tuples/check` | 800 | 18000 | -| | `GET /admin/identities` | 20 | 600 | -| | `*` | 400 | 9000 | -| **Staging** & **Development** | `/sessions/whoami` | 10 | 30 | -| | `/admin/oauth2/introspect` | 10 | 300 | -| | `/relation-tuples/check` | 10 | 300 | -| | `GET /admin/identities` | 1 | 10 | -| | `*` | 5 | 150 | +#### Growth plan rate limits + +| Environment | Path / Bucket | Burst (rps) | Sustained (rpm) | +| :-------------------- | :------------------------- | ----------: | --------------: | +| Production | `/sessions/whoami` | 800 | 18000 | +| | `/admin/oauth2/introspect` | 800 | 18000 | +| | `/relation-tuples/check` | 800 | 18000 | +| | `GET /admin/identities` | 20 | 600 | +| | `*` | 400 | 9000 | +| Staging & Development | `/sessions/whoami` | 10 | 30 | +| | `/admin/oauth2/introspect` | 10 | 300 | +| | `/relation-tuples/check` | 10 | 300 | +| | `GET /admin/identities` | 1 | 10 | +| | `*` | 5 | 150 | :::note @@ -126,91 +117,76 @@ Note: These rate limits also apply to the Legacy `Scale` plan. ::: -#### Enterprise Contract Rate Limits +#### Enterprise contract rate limits Looking for enterprise-grade rate limits? Everything's possible. Get in touch with us to discuss your requirements. -## Endpoint-Based Rate Limits - -This page provides a comprehensive explanation of Ory's Endpoint-Based Rate Limiting. These limits are designed to fortify the -security of your Ory project endpoints by mitigating common attack vectors such as brute-force and credential stuffing attempts, -while allowing for flexibility for high-volume legitimate traffic from trusted sources. - -### What are Endpoint-Based Rate Limits? +## Endpoint based rate limits -Endpoint-Based Rate Limits are precise controls applied to individual API endpoints within your Ory projects. Unlike Project Rate -Limits, which govern overall project request volumes, Endpoint-Based Rate Limits focus on safeguarding specific functionalities -against abuse. +Endpoint based rate limits are controls applied to individual API endpoints within your Ory projects. Unlike project rate limits, +which govern overall project request volumes, endpoint based rate limits focus on safeguarding specific functionalities against +abuse. -### How Endpoint-Based Rate Limits Work +### How endpoint based rate limits work These limits act as a first line of defense for your project endpoints. They analyze incoming request patterns and consider factors such as: -- **Source IP Address:** Identifies and potentially blocks requests originating from suspicious sources or those exhibiting - behavior indicative of malicious activity. -- **Request Frequency:** Monitors how often requests are made to a specific endpoint to detect and thwart attempts to overwhelm - the system or exploit vulnerabilities. -- **User Authentication:** (If applicable) Considers whether requests are authenticated and may apply different limits for +- Source IP Address: Identifies and potentially blocks requests from suspicious sources or those exhibiting behavior indicative of + malicious activity. +- Request Frequency: Monitors how often requests are made to a specific endpoint to detect and thwart attempts to overwhelm the + system or exploit vulnerabilities. +- User Authentication: (If applicable) Considers whether requests are authenticated and may apply different limits for authenticated vs. unauthenticated requests. -- **Request Method:** May apply different limits based on the HTTP method used (GET, POST, etc.). -- **IP Whitelist Status:** Applies higher limits to whitelisted IPs for Enterprise and Growth customers. +- Request Method: May apply different limits based on the HTTP method used (GET, POST, etc.). +- IP Whitelist Status: Applies higher limits to whitelisted IPs for Enterprise and Growth customers. -### Benefits of Endpoint-Based Rate Limiting +### Purpose endpoint based rate limits -#### Purpose - -Ory implements Endpoint-Based Rate Limits to proactively secure individual endpoints and protect against common attack vectors +Ory implements endpoint based rate limits to proactively secure individual endpoints and protect against common attack vectors like brute-force and credential stuffing, while allowing for higher volumes of legitimate traffic from trusted sources. These -types of attacks typically involve numerous attempts to guess credentials or exploit vulnerabilities, often originating from a -limited set of IP addresses. - -#### Key Benefits +attacks typically involve numerous attempts to guess credentials or exploit vulnerabilities, often from a limited set of IP +addresses. -1. **Enhanced Security:** +1. Enhanced security: - Restricts the number of requests from specific sources within a given timeframe. - Makes it significantly harder for attackers to succeed with brute-force or credential stuffing attacks. - Strengthens the security of your Ory projects and protects sensitive user data. -2. **Protection Against Malicious Bots:** +2. Protection against malicious bots: - Differentiates between genuine user traffic and potentially harmful bot activity. - Analyzes request patterns to identify and block automated malicious activities. -3. **Safeguarding Specific Endpoints:** +3. Safeguarding specific endpoints: - Offers granular control over how each endpoint handles traffic and responds to potential threats. - Allows fine-tuning of security measures for individual endpoints. - Optimizes protection without compromising the user experience. -4. **Fair Usage:** +4. Fair usage: - - Complements Project Rate Limits in ensuring fair resource allocation. + - Complements project rate limits in ensuring fair resource allocation. - Contributes to a fairer and more stable platform for all users by mitigating abusive traffic. -5. **Flexibility for High-Volume Legitimate Traffic:** +5. Flexibility for high volume legitimate traffic: - Provides options for Enterprise and Growth customers to whitelist internal IPs for higher rate limits. - Balances security needs with the requirements of high-volume legitimate traffic. -### Important Notes on Rate Limit Rules +### Notes on rate limit rules -#### Rule Management +#### Rule management -The Endpoint-Based Rate Limit rules are set and managed by Ory. These rules are not directly configurable by Enterprise and Growth +The endpoint based rate limit rules are set and managed by Ory. These rules are not directly configurable by Enterprise and Growth customers yet. -#### IP Whitelisting for Enterprise and Growth Customers +#### IP Whitelisting for Enterprise and Growth plans -Enterprise and Growth Customers have the option to whitelist internal IPs. This feature is designed for cases where these IPs -generate high volumes of legitimate calls that might otherwise trigger rate-limit rules. +Enterprise and Growth plans can whitelist internal IPs. This feature is designed for cases where these IPs generate high volumes +of legitimate calls that might otherwise trigger rate-limit rules. - Whitelisted IPs are subject to the same rule structure but with higher limits. -- To whitelist IPs, please create a support ticket with Ory. -- This feature ensures that necessary high-volume traffic from trusted sources is not interrupted while maintaining strong - security measures. - -### List of Rate Limit Rules - -This section will be populated later with detailed documentation of the rules set by Ory, including information on standard limits -and higher limits for whitelisted IPs. +- To whitelist IPs, please create a support ticket with Ory: . +- This feature ensures that high volume traffic from trusted sources is not interrupted while maintaining strong security + measures.