From 42ca90ace0945a5a0a50b392a17a0aea0d8021de Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 1 Apr 2026 22:19:09 +0000
Subject: [PATCH 1/2] Initial plan


From b4eefc5964dde9f2a0be486b9bbd8d2188999289 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 1 Apr 2026 22:22:07 +0000
Subject: [PATCH 2/2] fix: exclude 404 responses from rate-limit counter to
 prevent Safari icon requests from triggering early rate-limit

Agent-Logs-Url: https://github.com/mieweb/opensource-server/sessions/3fa31644-1044-4dfe-aa2d-e111bc78b3f0

Co-authored-by: runleveldev <44057501+runleveldev@users.noreply.github.com>
---
 create-a-container/server.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/create-a-container/server.js b/create-a-container/server.js
index b36ad094..1973c0e7 100644
--- a/create-a-container/server.js
+++ b/create-a-container/server.js
@@ -90,13 +90,16 @@ async function main() {
   });
   app.use(express.static('public'));
 
-  // We rate limit unsucessful (4xx/5xx statuses) to only 10 per 5 minutes, this
+  // We rate limit unsuccessful (4xx/5xx statuses, excluding 404) to only 10 per 5 minutes, this
   // should allow legitimate users a few tries to login or experiment without
-  // allowing bad-actors to abuse requests.
+  // allowing bad-actors to abuse requests. 404s are excluded because browsers
+  // (especially Safari) automatically request favicon/apple-touch-icon paths that
+  // don't exist, and those harmless misses should not burn the rate-limit budget.
   app.use(RateLimit({
     windowMs: 5 * 60 * 1000,
     max: 10,
     skipSuccessfulRequests: true,
+    requestWasSuccessful: (req, res) => res.statusCode < 400 || res.statusCode === 404,
   }));
 
   // Set version info once at startup in app.locals