[FEATURE] Improve Rate Limiting Mechanism #2921
Description
What's needed and why?
The current rate-limiting feature relies mainly on the client’s IP address.
This causes several practical issues:
- False positives for users behind NAT, VPNs, or corporate networks, where many legitimate users share the same public IP.
- Easy evasion by attackers using rotating proxies, VPN pools, or IPv6 address cycling.
- Normal application behavior (image loading, auto-refresh, API fan-out, notifications, etc.) can naturally generate many requests and wrongly trigger rate limits.
Because of these limitations, the IP-only rate limit is unreliable and leads to inaccurate blocking.
Enhancing the rate-limiting mechanism to use stronger identity signals would greatly improve accuracy and usability.
Implementations ideas (optional)
Suggested improvements that may strengthen the existing rate-limiting system:
Support additional rate-limit keys such as:
- user ID
- session ID
- API key
- device/browser fingerprint
- JA3/TLS fingerprint
Implement multi-dimensional rate limiting combining:
- per-IP
- per-user
- per-endpoint
- per-action type
These changes would make the rate limit more robust and reduce both false positives and evasion.
I think the team can refer some characteristics for rate limiting from https://developers.cloudflare.com/waf/rate-limiting-rules/
Code of Conduct
- I agree to follow this project's Code of Conduct