Skip to content

Exclude 404 responses from rate-limit counter #272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
runleveldev merged 2 commits into from
Apr 1, 2026
+5 −2
Merged

Exclude 404 responses from rate-limit counter #272

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
42ca90a
Initial plan
Copilot Apr 1, 2026
b4eefc5
fix: exclude 404 responses from rate-limit counter to prevent Safari …
Copilot Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions create-a-container/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,13 +90,16 @@ async function main() {
});
app.use(express.static('public'));

// We rate limit unsucessful (4xx/5xx statuses) to only 10 per 5 minutes, this
// We rate limit unsuccessful (4xx/5xx statuses, excluding 404) to only 10 per 5 minutes, this
// should allow legitimate users a few tries to login or experiment without
// allowing bad-actors to abuse requests.
// allowing bad-actors to abuse requests. 404s are excluded because browsers
// (especially Safari) automatically request favicon/apple-touch-icon paths that
// don't exist, and those harmless misses should not burn the rate-limit budget.
app.use(RateLimit({
windowMs: 5 * 60 * 1000,
max: 10,
skipSuccessfulRequests: true,
requestWasSuccessful: (req, res) => res.statusCode < 400 || res.statusCode === 404,
}));

// Set version info once at startup in app.locals
Expand Down
Loading