Rate limit the forward_auth controller

2025-10-29 13:55:36 +11:00
parent baa75a3456
commit 6f7de94623
1 changed files with 1 additions and 0 deletions
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -3,6 +3,7 @@ module Api
    # ForwardAuth endpoints need session storage for return URL
    allow_unauthenticated_access
    skip_before_action :verify_authenticity_token
+    rate_limit to: 100, within: 1.minute, only: :verify, with: -> { head :too_many_requests }

    # GET /api/verify
    # This endpoint is called by reverse proxies (Traefik, Caddy, nginx)