-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
could add throttle status to response headers when not exceed throttle #29
Comments
Hi @iamroody. I don't think I follow. Are you wanting to customize how rack attack annotates the request? You could do that with your own custom middleware. Could you clarify your use case with an example? |
I'm going to close this for now. Feel free to reopen with clarification. |
Sorry to Necro this, but I also expected this to be the default behaviour - seems like something rack-attack should do out of the box. To clarify, when a throttle is specified, the response should include headers to indicate the throttle limit, and the remaining calls available for the period, like twitter does: X-Rate-Limit-Limit: the rate limit ceiling for that given request Any chance this will be added? Seems like a very common expectation and use case. |
@johnmcdowall: Good points. It is a common expectation & use case, especially when designing an API. I'm unconvinced it should be the default, b/c sometimes it's nice to not expose that info if you're trying to slow down malicious attackers. And modifying app response headers feels like a big increase in the scope of rack-attack. E.g., would we override the X-RateLimit-* response headers if they're already set by the app? What would the X-RateLimit-* headers be if multiple throttles were hit? What would be least surprising for developers? That uncertainty is why I punted on it for now. There's enough throttle info in the env for developers to add the headers themselves. If you have a good solution, please implement a proof-of-concept rack middleware, and I'll gladly consider including it in rack-attack. |
I know we could add these headers to response in controller from "request.env['rack.attack.throttle_data'][name]", but if we could config add this custom header in rack-attack, it would be great.
The text was updated successfully, but these errors were encountered: