Add rate limiting to protect against DDoS#90
Conversation
Andrew718PLTS
left a comment
There was a problem hiding this comment.
Code LGTM (one tiniest comment), unit tests passed successfully, but unfortunately, I can't test new changes because of preview deployment failure - pls check and fix that.
Great that you've added the unit tests setup, I like it.
Additionally, it'd be nice to run the unit tests on CI on push - it's so fast and doesn't require massive changes - actually a couple of lines (check the example from FE monorepo).
🚀 Preview DeploymentYour preview deployment is ready! 🔗 Preview URL: https://analytics-api-preview-feat-rate-limiting-a4neydykmq-uc.a.run.app/docs 📝 Details:
This preview will be automatically updated with each new commit to this PR and will be deleted when the PR is merged or closed. |
Andrew718PLTS
left a comment
There was a problem hiding this comment.
I ran performance tests to verify caching and DDoS protection using a GET /health request.
It simulates 5 users sequentially sending for 1m (Total requests sent: 231).
Here's the summary based on results:
Cache
It took 12s to populate the cache and start using it.
DDoS Protection
We started erroring out with the 429 status approximately in the middle of execution.
Conclusions
LGTM, just a few comments below:
- The only thing I'd highlight is that I wouldn't mention
ThrottlerExceptionin the error message. I don't wanna show any sign of throttling for potential attackers) But it still might be mentioned in the internal logs. - Additionally, I ran tests with 50 users for 1m and saw that we also have
ESOCKETTIMEDOUTerror. There are only 7 out of ~1500, but we still might need to look it up and potentially fix it.

Description
Implements HTTP rate limiting to mitigate potential DoS attacks.
@nestjs/throttler(10 req/s, 50 req/10s, 100 req/min)Context
The health endpoint is somewhat vulnerable to DoS as each request triggers 5+ external API calls (Blockstream, Blockchain.info, RPC nodes, etc.) without caching.
Key Changes
src/app.module.tssrc/main.tstrust proxyfor Cloud Run load balancersrc/api/health/health.controller.tsvitest.config.tsHow to test
Verify rate limiting works:
Verify health caching:
Run tests locally:
pnpm testCode review focus: