denial of service

[masell]

You clame a limit based on ipaddress, however you read that "address" from httpheaders, X-real-ip, which I assume can be anything I as sender can set.
So, the limit will not work.

[typpo]

That's a good point. The X-Real-IP header is set by my nginx reverse proxy. So it's not a problem for textbelt.com. However, if you are running this on your own, you will need to set that header correctly. I should update the documentation to reflect this. 41abd43 adds an example nginx configuration.

[masell]

Hm.
Why?

Can't you get the ipaddress in a proper way? Without setting this header...

Also, you are not handling proxys, x-forwarded-for is the "standard" header for those. Meaning I could get a list of proxys and send more then allowed quota.

[typpo]

Without setting the header, all forwarded nginx traffic will appear to originate from 127.0.0.1.

Unfortunately, people can always abuse IP-based limits with proxies. Using X-Forwarded-For instead of X-Real-IP won't prevent this. The intent of the header check is just to allow the server to run behind a load balancer. If the server isn't behind a load balancer, the current check would let an attacker spoof their rate limited IP by setting the header.

[daluu]

Just my thoughts, but #41 and #42 could be alternative ways to address rate limiting and abuse prevention over IP based approach. However, I speak to this from the perspective of the self hosting option. For the public hosted service, it's fine to me the way it is now.

[typpo]

IP rate limiting has been removed.