Add rate limiting to the API #489

New issue

Closed

opened 2026-02-20 08:02:47 -05:00 by deekerman · 2 comments

deekerman commented

2026-02-20 08:02:47 -05:00

Owner

Originally created by @ntimo on GitHub (Nov 13, 2019).

Hello,
first off awesome project. I just took a look at the official bitwarden API and saw that it has a rate limit. I would like suggest to add a rate limit too. It should probably use the same headers like the official one:

x-rate-limit-limit: 1m
x-rate-limit-remaining: 199
x-rate-limit-reset: 2019-11-13T22:48:01.3005818Z

What do you think about that? Maybe the limit could also be made configurable using a environment variable.

Originally created by @ntimo on GitHub (Nov 13, 2019). Hello, first off awesome project. I just took a look at the official bitwarden API and saw that it has a rate limit. I would like suggest to add a rate limit too. It should probably use the same headers like the official one: ``` x-rate-limit-limit: 1m x-rate-limit-remaining: 199 x-rate-limit-reset: 2019-11-13T22:48:01.3005818Z ``` What do you think about that? Maybe the limit could also be made configurable using a environment variable.

deekerman closed this issue

2026-02-20 08:02:47 -05:00

deekerman commented

2026-02-20 08:02:48 -05:00

Author

Owner

@dani-garcia commented on GitHub (Nov 14, 2019):

So far we've intentionally kept out of this space because it's reasonably easy to do with external tools while it could be quite complex to implement correctly and at the same time it would require a lot of configurability because no one wants the exact same setup. For example, someone might prefer to only ratelimit the login endpoint, or apply different limits to loggedin users vs anonymous users, someone might want to ban the users after the limit is reached, others might want to block them for a certain time, someone could want more restrictive limits for some IP range or more relaxed for the local LAN...

Personally I wouldn't mind some basic ratelimiting being built in, but a more robust solution would be to create documentation on how to integrate bitwarden_rs with the rate limiting of third party proxies or firewalls.

@dani-garcia commented on GitHub (Nov 14, 2019): So far we've intentionally kept out of this space because it's reasonably easy to do with external tools while it could be quite complex to implement correctly and at the same time it would require a lot of configurability because no one wants the exact same setup. For example, someone might prefer to only ratelimit the login endpoint, or apply different limits to loggedin users vs anonymous users, someone might want to ban the users after the limit is reached, others might want to block them for a certain time, someone could want more restrictive limits for some IP range or more relaxed for the local LAN... Personally I wouldn't mind some basic ratelimiting being built in, but a more robust solution would be to create documentation on how to integrate bitwarden_rs with the rate limiting of third party proxies or firewalls.

deekerman commented

2026-02-20 08:02:48 -05:00

Author

Owner

@BlackDex commented on GitHub (Oct 8, 2020):

To keep the issue tracker more focused, I'm closing this issue in favor of the meta issue at #246

@BlackDex commented on GitHub (Oct 8, 2020): To keep the issue tracker more focused, I'm closing this issue in favor of the meta issue at #246