Skip to content

Security: No rate limiting on API endpoints #103

Description

@mantono

Description

None of the API endpoints have rate limiting. An attacker can send unlimited requests to any endpoint, potentially causing resource exhaustion or abuse of the service.

This is especially concerning for write endpoints (PUT, DELETE) which modify state, and for the in-memory database backend where unlimited writes lead to unbounded memory growth.

Severity

Low

Suggested Fix

Consider adding rate limiting middleware via tower::limit::RateLimitLayer or a similar mechanism.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions