From 4984a26aa7c141b642325e7ea388782f1c22c927 Mon Sep 17 00:00:00 2001 From: Ondrej Synacek Date: Tue, 5 Nov 2019 21:08:59 +0100 Subject: [PATCH] set more strict rate limiting for download endpoint --- lib/index.js | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/index.js b/lib/index.js index 8c806bd..26eb086 100644 --- a/lib/index.js +++ b/lib/index.js @@ -22,6 +22,10 @@ const enforceHTTPS = Boolean(process.env.ENFORCE_HTTPS) const app = express() const appLogger = createAppLogger({ dev: isDevelopment }) +const limiter = rateLimit({ + windowMs: 60 * 1000, + max: 10, +}) // Force app to always redirect to HTTPS // use when you can't configure web server @@ -34,6 +38,7 @@ app.use(createRouteLogger({ dev: isDevelopment })) app.set('view engine', 'ejs') app.set('views', path.join(__dirname, 'views')) +app.set('trust proxy', 1) app.use(express.static(path.join(__dirname, 'public'))) app.use(favicon(path.join(__dirname, 'public', 'favicon.ico'))) @@ -66,8 +71,8 @@ app.get('*', (req, res) => { res.status(400).render('404') }) +app.use('/download', limiter) app.use('/download', checkURLParameter) -app.use('/download', rateLimit()) app.post('/download', async (req, res, next) => { try { const { url } = req.body