[BUG] Server crashes under 500 concurrent connections — no rate limiting or connection limiting

[ElioNeto]

Description

During security testing, 500 concurrent requests caused the server to become unresponsive. There is no rate limiting, connection limiting, or request queuing mechanism.

Impact

• Trivial DoS: a single client can overwhelm the server with concurrent connections
• No max_connections or backlog configuration exposed
• Actix-web default worker count may be insufficient

Evidence

500 rapid requests: 823 ms
Server still up: no

Proposed fix

1. Configure HttpServer::max_connections() and HttpServer::backlog()
2. Add connection-per-IP rate limiting middleware
3. Add MAX_CONNECTIONS and WORKERS environment variables

Severity

High — no protection against DoS.

Labels

[ElioNeto]

Fixed in commit 9188977. Added HttpServer::max_connections(), backlog(), workers() configuration and IP-based rate limiting middleware with sliding window tracking. New env vars: MAX_CONNECTIONS, BACKLOG, WORKERS, RATE_LIMIT_ENABLED, RATE_LIMIT_REQUESTS_PER_MINUTE.