Skip to content

fix: add rate limiting and field size limits to feedback endpoint#112

Open
JasonOA888 wants to merge 1 commit intotanweai:mainfrom
JasonOA888:fix/issue-96-feedback-security
Open

fix: add rate limiting and field size limits to feedback endpoint#112
JasonOA888 wants to merge 1 commit intotanweai:mainfrom
JasonOA888:fix/issue-96-feedback-security

Conversation

@JasonOA888
Copy link
Copy Markdown

@JasonOA888 JasonOA888 commented Mar 26, 2026

Fixes #96

Summary

Security hardening for the POST /api/feedback endpoint.

Changes

  1. IP-based Rate Limiting - Max 5 requests per IP per hour
  2. Field Size Limits - Prevent storage exhaustion:
    • session_data: 10KB max
    • task_summary: 1KB max
    • rating: 50 chars max
    • flavor: 100 chars max
  3. Configuration - Add KV namespace binding for rate limiter

Backward Compatibility

  • Existing clients continue to work
  • No breaking changes to API contract
  • Rate limiting is opt-in via KV binding

@JasonOA888
fix: add rate limiting and field size limits to feedback endpoint
f46bddc 
Issue tanweai#96: Security hardening for POST /api/feedback

Changes:
- Add IP-based rate limiting (5 requests/hour per IP)
- Add field size limits to prevent storage exhaustion:
  - session_data: 10KB max
  - task_summary: 1KB max
  - rating: 50 chars max
  - flavor: 100 chars max
- Add KV namespace binding for rate limiter (optional)
- Return 429 status when rate limited

The rate limiting uses Cloudflare KV with TTL-based expiration.
Without KV binding, the endpoint still works but without rate limiting.

Fixes tanweai#96
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Feedback endpoint has no auth, rate limiting, or CSRF protection

1 participant

@JasonOA888