• Markus Koller's avatar
    Treat API requests from the frontend as web traffic in the rate limiter · e77b3686
    Markus Koller authored
    This will allow us to impose stricter rate limits for general API
    traffic, without affecting interactive API requests made by the
    frontend during normal GitLab usage.
    
    The frontend requests are identified by the inclusion of a CSRF token
    in the headers.
    
    Other rate limits that only affect a subset of API requests (e.g. the
    Files and Packages APIs, or protected paths) still take precedence,
    i.e. requests for these paths will always be matched even if they
    include a CSRF token.
    
    Changelog: changed
    e77b3686
rack_attack_spec_helpers.rb 1.87 KB