Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allows limiter headers to be written via setting instead of sending them at all times #15

Open
go-aegian opened this issue Jun 14, 2022 · 7 comments
Open

Allows limiter headers to be written via setting instead of sending them at all times #15

go-aegian opened this issue Jun 14, 2022 · 7 comments

Comments

@go-aegian
Copy link

The headers output by this middleware "X-RateLimit-Limit", "X-RateLimit-Remaining", "X-RateLimit-Reset", "Retry-After" should be output depending on a configuration for it.
@micronull
Copy link

These headings are common practice.
You'd rather have an option to turn them off.

@mwodrich
Copy link

mwodrich commented Jan 28, 2023
edited

+1 for a configuration option to disable adding X-RateLimit-* headers and Retry-After header, as users may wish to only respond with these under certain circumstances.

@pkieltyka
Copy link
Member

Sorry but I don’t understand the request of this ticket.

@mwodrich
Copy link

mwodrich commented Feb 6, 2023

These headers are very useful for coordinating rates with a cooperative client that just needs to bound resource usage over time, but in a scenario where the rate limits are set to limit the impact of malicious actors, I don't believe it is valuable or appropriate to give them any information about the state or configuration of the rate limiter.

@BenStigsen
Copy link

... but in a scenario where the rate limits are set to limit the impact of malicious actors, I don't believe it is valuable or appropriate to give them any information about the state or configuration of the rate limiter.

I agree with this.

@VojtechVitek VojtechVitek mentioned this issue Feb 27, 2024
Merged
@VojtechVitek
Copy link
Contributor

These headers are a de-facto standard for rate-limiting (see https://www.ietf.org/archive/id/draft-ietf-httpapi-ratelimit-headers-07.html draft). Let's keep them as is.

httprate/limiter.go

Lines 99 to 101 in 3327e65

w.Header().Set("X-RateLimit-Limit", fmt.Sprintf("%d", l.requestLimit))
w.Header().Set("X-RateLimit-Remaining", fmt.Sprintf("%d", 0))
w.Header().Set("X-RateLimit-Reset", fmt.Sprintf("%d", currentWindow.Add(l.windowLength).Unix()))

If you need to remove the headers for some reason, you can write a middleware that explicitly removes the response headers. Something like

func RemoveHeadersMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Unset headers set by previous middleware before handler writes to response body.
		w.Header().Del("X-RateLimit-Limit")
		w.Header().Del("X-RateLimit-Remaining")
		w.Header().Del("X-RateLimit-Reset")

		next.ServeHTTP(w, r)
	})
}

@VojtechVitek
Copy link
Contributor

VojtechVitek commented Feb 27, 2024
edited

I've just noticed this unlinked PR: #16. Reopening.

@VojtechVitek VojtechVitek reopened this Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pkieltyka @VojtechVitek @mwodrich @micronull @go-aegian @BenStigsen