Problem
PR #224 added in-memory rate limiting for the view count API. This resets on serverless cold starts and is bypassable via x-forwarded-for spoofing without a trusted reverse proxy.
Current approach is acceptable for casual abuse prevention but won't stop determined actors.
Potential improvements (pick one if needed)
- Supabase-based dedup: check
page_views table for recent entries from same IP/session before inserting (already partially done via session dedup)
- Edge middleware rate limiting: if deployed on Vercel, use Vercel Edge Config or KV for durable counters
- Hash IP in page_views: store hashed IP for audit, query recent entries for rate check
Priority
LOW — current approach is fine for testnet/early launch. Revisit if view inflation becomes a real problem.
Acceptance Criteria
Problem
PR #224 added in-memory rate limiting for the view count API. This resets on serverless cold starts and is bypassable via
x-forwarded-forspoofing without a trusted reverse proxy.Current approach is acceptable for casual abuse prevention but won't stop determined actors.
Potential improvements (pick one if needed)
page_viewstable for recent entries from same IP/session before inserting (already partially done via session dedup)Priority
LOW — current approach is fine for testnet/early launch. Revisit if view inflation becomes a real problem.
Acceptance Criteria