Problem
FirstData MCP service has no rate limiting on authentication endpoints.
- 5 consecutive invalid tokens → all return 403 instantly, no throttling
- No IP-based or token-based rate limiting
- No progressive delay on failed attempts
- Combined with static non-rotating API Keys → unlimited brute-force possible
Evidence
Tested 2026-04-24. 5 rapid invalid-token requests, all instant 403, zero throttling.
Suggested Fix
Phase 1 (nginx, immediate): limit_req zone=auth_fail rate=10r/m per IP
Phase 2 (app layer): per-token rate limiting + progressive delay + anomaly alerting
Priority
P0 — consensus among墨子, 明察, 明鉴.
Related
Problem
FirstData MCP service has no rate limiting on authentication endpoints.
Evidence
Tested 2026-04-24. 5 rapid invalid-token requests, all instant 403, zero throttling.
Suggested Fix
Phase 1 (nginx, immediate): limit_req zone=auth_fail rate=10r/m per IP
Phase 2 (app layer): per-token rate limiting + progressive delay + anomaly alerting
Priority
P0 — consensus among墨子, 明察, 明鉴.
Related