Security Update: Rate Limiting Now Enforced Across All API Endpoints
Security Update: Rate Limiting Now Enforced Across All API Endpoints
Release: v0.1.143 · Control: SEC-15 · Category: Infrastructure Security
Background
The sanctions screening platform includes a rate limiting library (src/lib/rate-limit.ts) that defines tiered request limits for different categories of API operation. Prior to this release, that library was comprehensive in design but not applied to any of the main API route handlers.
The following routes were unprotected:
GET /api/peopleandPOST /api/peopleGET /api/matchesGET /api/dashboard/statsPOST /api/feedbackGET/POST /api/settings/*GET /api/export/*GET/POST /api/keys- Sanctions sync endpoints
Because no route called withRateLimit(), the infrastructure existed but was functionally inactive — any client could issue unlimited requests to any endpoint.
What Changed
This release enforces rate limiting across all API routes by applying withRateLimit() wrappers with the appropriate tier for each route's risk and resource profile:
Rate Limit Tiers
| Tier | Applied To | Purpose |
|---|---|---|
RATE_LIMITS.general | Read endpoints (/api/people GET, /api/dashboard/stats, /api/matches, /api/feedback, /api/settings/*, /api/keys) | Standard read traffic limits |
RATE_LIMITS.screening | /api/people POST (screening operations) | Throttles individual screening submissions |
RATE_LIMITS.bulk | /api/export/*, CSV and batch operations | Protects against resource-intensive bulk requests |
RATE_LIMITS.sync | Sanctions sync endpoints | Controls nightly and on-demand OFSI list sync frequency |
Why This Matters
Without rate limiting, the API was exposed to:
- Abuse and scraping of the OFSI-derived sanctions data via unrestricted GET requests.
- Resource exhaustion through repeated bulk export or CSV batch requests.
- Denial of service against computationally expensive screening and sync operations.
- Credential stuffing or key enumeration via unconstrained
/api/keysaccess.
Enforcing tiered rate limits ensures that each class of operation is protected proportionally to its cost and sensitivity.
Impact on Integrations
Clients that issue requests within normal usage patterns will not be affected. If your integration receives 429 Too Many Requests responses after this update, review your request frequency against the tier limits and implement appropriate back-off logic.
Technical Detail
Rate limiting is implemented via withRateLimit() in src/lib/rate-limit.ts. The wrapper uses the tier constant passed to it to evaluate whether an incoming request exceeds the allowed rate for that caller. Requests that exceed the limit receive a 429 HTTP response. The implementation supports per-IP and per-API-key scoping depending on the route context.