Add middleware to protect against DoS#3620
Conversation
github-actions
Bot
added
javascript
GB907762
left a comment
GB907762
left a comment
There was a problem hiding this comment.
I think rate limiting might be good? You could abuse this by just hogging Bailo resources? Meaning no one else can use the tool?
| export function tooBusy(req, res, next) { | ||
| if (toobusy()) { | ||
| log.warn('Server response time too long, preventing more requests from being handled.') | ||
| res.status(503).send('Server Too Busy') |
There was a problem hiding this comment.
I naively assumed this library was only limiting requests from the same origin. Also, is ConfigurationError what we want? To me that would imply that there was a problem with the configuration, whereas this is a purposely thrown error.
There was a problem hiding this comment.
I think our naming for this error isn't correct. Really it should be ServiceUnavailable but we should let our error handler handle it so that error is consistent for the user, inline with all other errors within the app.
Have a look here for usage of a 503
Common causes are that a server is down for maintenance or overloaded
|
That library hasn't been updated in 10 years (although how much maintenance does it need) - maybe a slightly different approach by using rate limiting like suggested above - perhaps: https://www.npmjs.com/package/express-rate-limit instead? |
https://github.com/STRML/node-toobusy/blob/master/toobusy.js#L35-L41
|
5 participants
Following guidance https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#monitor-the-event-loop