Rate limiting

[johtso]

Seeing as a search for "rate limiting" brought up nothing, thought it would be worth making a discussion!

Does blitz have any built in support for rate limiting / abuse prevention?

If not are there any recommended patterns? Maybe using something like this as a middleware? https://www.npmjs.com/package/express-rate-limit like so https://blitzjs.com/docs/middleware#connect-express-compatibility

And for serverless, would it then be a matter of using AWS WAF?

[flybayer]

Haven't address this yet! But yes something we should investigate how to add/support. And yeah likely would be different for serverless vs server. For a server, I think middleware would work well

[MrLeebo]

If you're referring to rate limiting to prevent Distributed Denial Of Service (DDOS) attacks, I don't think there is much that blitz could do for you. Frankly, if the DDOS is interacting with your application server, it has already achieved its goal, because no matter how quickly your application can reject bad requests, it won't be able to keep up against a botnet.

You would need a reverse proxy/load balancer in front of your web servers that is capable of dealing with attacks like that. If you're hosting your app on the cloud, you could use your cloud provider's or Cloudflare's DDOS services.

If you want to implement rate limiting for non-DOS purposes, like if your app offers an API that users gets X calls/hour based on the subscription tier or something, you could implement that kind of rate limiting inside blitz, but I think that's too application-specific for there to be a one-size-fits-all solution that Blitz could provide.

[johtso]

Not so much DDOS, more along the lines of not allowing endpoints that have side-effects to be called at an arbitrary rate (commenting etc.).. seems like a pretty standard thing to need unless you just want to trust that your users will behave themselves.