I noticed Strapi admin panel comes with rate limiting for your routes that I can check off to activate. May I know how it works, what’s the cap like, how many requests/min etc?
Is it 5 requests/min per IP address as per this js file?
interval: 1 * 60 * 1000,
max: 5,
prefixKey: `${ctx.request.path}:${ctx.request.ip}`,Hey @jasonleow,
The auth routes:
/connect/*/auth/local/auth/local/register/auth/forgot-password/auth/reset-passwordHave the policy plugins::users-permissions.ratelimit (you linked).
Looking at the config of koa2-ratelimit middleware:
- interval: Time Type - how long should records of requests be kept in memory. Defaults to
60000(1 minute).
…- max: max number of connections during
intervalmilliseconds before sending a429response code. Defaults to5. Set to0to disable.
It indeed is max 5 connections during the interval of 1 * 60 * 1000 = 60 seconds per IP per path.
Just something to note, our default implementation stores the rate limit information in the node memory, so if you scale your backend, the rate limit storage is per instance and is not shared.
Thank you for confirming! So 5 connections per 60s per IP path. Does this rate limit extend to the other non-auth routes too?
Thanks Derrick, noted! 
Only if you define the policy or create a new one and attach it to the routes.json
see: https://strapi.io/documentation/v3.x/concepts/policies.html#concept