From 786b65d68f938f166a103b881e7217c5b7668abf Mon Sep 17 00:00:00 2001 From: "DESKTOP-RTLN3BA\\$punk" Date: Mon, 16 Feb 2026 23:28:20 -0800 Subject: [PATCH] feat: update default rate limits in SlowAPI limiter - Increased the default rate limits from 180/minute to 1024/minute for enhanced API performance and protection against abuse. --- surfsense_backend/app/app.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/surfsense_backend/app/app.py b/surfsense_backend/app/app.py index a20973ac6..dd15a74d4 100644 --- a/surfsense_backend/app/app.py +++ b/surfsense_backend/app/app.py @@ -38,14 +38,14 @@ rate_limit_logger = logging.getLogger("surfsense.rate_limit") # Uses the same Redis instance as Celery for zero additional infrastructure. # Protects auth endpoints from brute force and user enumeration attacks. -# SlowAPI limiter — provides default rate limits (60/min) for ALL routes +# SlowAPI limiter — provides default rate limits (1024/min) for ALL routes # via the ASGI middleware. This is the general safety net. # in_memory_fallback ensures requests are still served (with per-worker # in-memory limiting) when Redis is unreachable, instead of hanging. limiter = Limiter( key_func=get_remote_address, storage_uri=config.REDIS_APP_URL, - default_limits=["180/minute"], + default_limits=["1024/minute"], in_memory_fallback_enabled=True, in_memory_fallback=[MemoryStorage()], )