I noticed Strapi admin panel comes with rate limiting for your routes that I can check off to activate. May I know how it works, what’s the cap like, how many requests/min etc?
Is it 5 requests/min per IP address as per this js file?
interval: 1 * 60 * 1000,
The auth routes:
Have the policy
plugins::users-permissions.ratelimit (you linked).
Looking at the config of koa2-ratelimit middleware:
interval: Time Type - how long should records of requests be kept in memory. Defaults to
60000 (1 minute).
max: max number of connections during
interval milliseconds before sending a
429 response code. Defaults to
5. Set to
0 to disable.
It indeed is max 5 connections during the interval of
1 * 60 * 1000 = 60 seconds per
Just something to note, our default implementation stores the rate limit information in the node memory, so if you scale your backend, the rate limit storage is per instance and is not shared.
Thank you for confirming! So 5 connections per 60s per IP path. Does this rate limit extend to the other non-auth routes too?
Only if you define the policy or create a new one and attach it to the