[SECURITY] Add Rate Limiting to API Server (V-016, CVSS 7.3) #66

Merged

allegro merged 1 commits from security/add-rate-limiting into main

2026-03-31 00:05:02 +00:00

Author	SHA1	Message	Date
Allegro	4e3f5072f6	security: add rate limiting to API server (V-016, CVSS 7.3) Some checks failed Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 31s Details Tests / test (pull_request) Failing after 32s Details Docker Build and Publish / build-and-push (pull_request) Failing after 59s Details Add token bucket rate limiter per client IP. Changes: - gateway/platforms/api_server.py: - Add _RateLimiter class with token bucket algorithm - Add rate_limit_middleware for request throttling - Configurable via API_SERVER_RATE_LIMIT (default 100 req/min) - Returns 429 with Retry-After header when limit exceeded - Skip rate limiting for /health endpoint CVSS: 7.3 (High) Refs: V-016 in SECURITY_AUDIT_REPORT.md CWE-770: Allocation of Resources Without Limits or Throttling	2026-03-31 00:04:56 +00:00

Author

SHA1

Message

Date

Allegro

4e3f5072f6

security: add rate limiting to API server (V-016, CVSS 7.3)

Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 31s

Details

Tests / test (pull_request) Failing after 32s

Details

Docker Build and Publish / build-and-push (pull_request) Failing after 59s

Details

Add token bucket rate limiter per client IP.

Changes:
- gateway/platforms/api_server.py:
  - Add _RateLimiter class with token bucket algorithm
  - Add rate_limit_middleware for request throttling
  - Configurable via API_SERVER_RATE_LIMIT (default 100 req/min)
  - Returns 429 with Retry-After header when limit exceeded
  - Skip rate limiting for /health endpoint

CVSS: 7.3 (High)
Refs: V-016 in SECURITY_AUDIT_REPORT.md
CWE-770: Allocation of Resources Without Limits or Throttling

2026-03-31 00:04:56 +00:00

[SECURITY] Add Rate Limiting to API Server (V-016, CVSS 7.3) #66

1 Commits