Summary
Rate limiting storage defaults to in-memory in config.py:
RATE_LIMIT_STORAGE_URL = os.getenv("VLOG_RATE_LIMIT_STORAGE_URL", "memory://")Issue
Per-process in-memory rate limiting doesn't work correctly with multiple API instances. An attacker can distribute requests across instances to bypass rate limits.
The code does log a warning at startup (good), but the default configuration is weak for production multi-instance deployments.
Recommendation
- Consider requiring explicit configuration for production (fail-fast if not set in production mode)
- Update documentation to emphasize Redis requirement for multi-instance deployments
- Alternatively, default to Redis URL if
VLOG_REDIS_URL is already configured
Current Mitigation
A startup warning is logged when using in-memory storage.
Identified during Distinguished Engineer code review
Summary
Rate limiting storage defaults to in-memory in
config.py:Issue
Per-process in-memory rate limiting doesn't work correctly with multiple API instances. An attacker can distribute requests across instances to bypass rate limits.
The code does log a warning at startup (good), but the default configuration is weak for production multi-instance deployments.
Recommendation
VLOG_REDIS_URLis already configuredCurrent Mitigation
A startup warning is logged when using in-memory storage.
Identified during Distinguished Engineer code review