jake/compassmock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
compassmock/docs/auth/rate-limits.md
Nicholai a7494397f2
docs(all): comprehensive documentation overhaul (#57) 
Restructure docs/ into architecture/, modules/, and
development/ directories. Add thorough documentation
for Compass Core platform and HPS Compass modules.
Rewrite CLAUDE.md as a lean quick-reference that
points to the full docs. Rename files to lowercase,
consolidate old docs, add gotchas section.

Co-authored-by: Nicholai <nicholaivogelfilms@gmail.com>
2026-02-07 19:17:37 -07:00

72 lines
2.2 KiB
Markdown
Executable File
Raw Blame History

# Rate Limiting Configuration
This document explains how to configure rate limiting for the authentication endpoints using Cloudflare.
## Recommended Configuration
### Via Cloudflare Dashboard (Recommended)
1. Go to **Cloudflare Dashboard** > **Security** > **WAF** > **Rate limiting rules**
2. Create a new rule with the following settings:
**Rule name:** Auth endpoint protection
**Expression:**
```
(http.request.uri.path contains "/api/auth/") or (http.request.uri.path eq "/callback")
```
**Characteristics:** IP address
**Rate:** 10 requests per 60 seconds
**Action:** Block for 60 seconds
3. Click **Deploy**
### Alternative: Stricter Rules for Login
For additional protection against brute-force attacks on the login endpoint:
**Rule name:** Login endpoint protection
**Expression:**
```
(http.request.uri.path eq "/api/auth/login") and (http.request.method eq "POST")
```
**Characteristics:** IP address
**Rate:** 5 requests per 60 seconds
**Action:** Block for 300 seconds (5 minutes)
## Why These Settings?
1. **10 requests per minute for general auth endpoints** - Allows legitimate users to:
- Make a few login attempts if they mistype their password
- Request password resets
- Complete email verification
2. **Stricter limits on login** - The login endpoint is the primary target for brute-force attacks. 5 attempts per minute is generous for legitimate users but stops automated attacks.
3. **IP-based blocking** - Simple and effective for most use cases. Note that this may block multiple users behind the same NAT/corporate network.
## Monitoring
After enabling rate limiting:
1. Monitor the **Security Analytics** dashboard for blocked requests
2. Adjust thresholds if you see legitimate traffic being blocked
3. Consider adding additional rules for specific patterns of abuse
## Advanced: Per-User Rate Limiting
For more sophisticated rate limiting based on user identity (not just IP), consider implementing application-level rate limiting using:
- **Cloudflare Durable Objects** - For distributed state
- **Cloudflare KV** - For simple counters with eventual consistency
This is typically only needed for applications with high traffic or specific compliance requirements.
Reference in New Issue View Git Blame Copy Permalink