Introduce rate limit for REST api #3288

de-jcup · 2024-07-09T13:32:54Z

Situation

Currently we have no rate limit for SecHub API

A configurable rate limit for REST api calls.

Spring Boot seems to have an embedded support for token based quota.
Maybe we should use this to restrict?

de-jcup · 2024-07-09T13:33:13Z

We will close #2845 in favor of this one.

de-jcup · 2024-07-09T13:38:29Z

We close #2843 in favor of this one

hamidonos · 2024-07-09T15:52:07Z

Bucket4J is a good solution for rate limiting.

We should also keep in mind:

Implement the rate limiter as HandlerInterceptor (decouple business logic from rate limiting)
Use the clients ip for rate limiting, not the SecHub job id. Someone could just generate a new job id with every request and bypass the rate limiter.
Define a meaningful rate limit strategy. Ideally we can also configure this through env variables on deployment.
Handle distributed rate limiting for multiple instances. This could be solved through a in-memory cache like Redis (cloud environment) or our Postgres database (no cloud). To keep things simple we should just use the database. There are JDBC extensions for bucket4j which allow easy integration with the data source in Spring.
The response code should be 429 Too Many Requests
Rate limiter should log blocked requests. What do we do with this information? Do we need to know if someone is trying to attack us? Keep in mind to not log sensitive client information like the ip address.