Comments (4)
Yea, there's a couple of vectors there:
- If the attacker knows a third party's IP, they can use spoofing to make the server deny service to that third party.
- If the attacker doesn't need the servers response to carry out the attack, then IP spoofing will effectively bypass this module.
For something like a login or password reset form, you could mitigate the second attack vector by putting a CSRF token in the form and rate-limiting that.
Old
from express-rate-limit.
Sorry. typing this on a phone...
Old versions of the library had a global: true
option, which would basically lock it down for everyone if an attacker hit the site too hard with spoofed IPs, but it wasn't that useful in practice and got removed from v2.
from express-rate-limit.
Aces. Thanks for the quick, helpful reply.
from express-rate-limit.
I apologize, I don't understand the bit about a CSRF token and rate limiting that. What would the attacker be trying to accomplish with a login form if he doesn't need the response? Certainly not logging in/cracking the password since he won't have the response. Also, what value does the CSRF token provide other than its standard use of making sure a user doesn't unintentionally submit a form?
from express-rate-limit.
Related Issues (20)
- ValidationError: The 'X-Forwarded-For' header is set but the Express HOT 2
- I found that this library occasionally works and occasionally doesn't work. HOT 3
- limit is not working , still need to set max HOT 5
- [Question] keyGenerator option HOT 4
- Get Remaining Rate-Limit HOT 3
- ERR_ERL_DOUBLE_COUNT with multiple rate limits HOT 2
- It blocks all IPs instead of blocking each IP HOT 7
- getKey is undefined in Redis Store HOT 9
- Passed options in RateLimitRequestHandler HOT 1
- Install a problem in express5 / express@next HOT 9
- Can't get the correct ip HOT 3
- Ratelimit headers empty while running on Bun v1.0.x HOT 1
- Don't know how to resetKey when user complete captcha HOT 6
- requestWasSuccessful usage doesn't support returning a Promise
- Can't use process.env variables HOT 3
- An option similar to `skip` but which is evaluated after the request has completed HOT 2
- Add Support for Persistent Storage (e.g., Redis) in express-rate-limit HOT 1
- Enhanced Rate Limiting with a retryAfter option and IP Blocking Features for Improved Flexibility HOT 2
- ERR_ERL_CREATED_IN_REQUEST_HANDLER HOT 5
- Allow rate limit configuration dynamic based on request comes in (Saas) HOT 22
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from express-rate-limit.