GraphQL Rate Limiting
Closed this issue · 3 comments
for this ticket there is probably an easy django package available. It's worth looking into before you try to roll your own. If the package has other ways of handling DDOS attacks to a graphQL endpoint, we can also use those
- Unauthenticated queries should have some protection from DDOS attacks
- We should accept no more than 10 queries a second from a single IP addresses
- Here, we should return a 429 Too Many Requests http code
- Requests that we return 429 to should not cause the application to query the database.
- Further frequent requests should incur further rate penalties
- We should accept no more than 10 queries a second from a single IP addresses
The best way that I think to implement this is from web server (Nginx). There are a lot of Django packages to implement rate limiting like: django-ratelimit or django-throttle-requests. Even django-rest-framework has throttling: DRF throttling but I didn't find any package for GrapQL with Django. I can implement my own but we'll be the same as the previous packages, that don't implement it with GraphQL.
In Nginx we can rate limit each IP and return 429 after hitting the limit. Normally they can't query the database if they receive a 429 error.
@skerdilajdhoxha - An Nginx limit would be totally acceptable. When implementing this, would you please document the process for turning it on and off? We'll want that in the future.
I did finish this.