Add rate limiting to the API #488

New Issue

OVERLORD · 2026-02-04T21:10:46+03:00

OVERLORD commented

2026-02-04 21:10:46 +03:00

Originally created by @ntimo on GitHub (Nov 14, 2019).

Hello,
first off awesome project. I just took a look at the official bitwarden API and saw that it has a rate limit. I would like suggest to add a rate limit too. It should probably use the same headers like the official one:

x-rate-limit-limit: 1m
x-rate-limit-remaining: 199
x-rate-limit-reset: 2019-11-13T22:48:01.3005818Z

What do you think about that? Maybe the limit could also be made configurable using a environment variable.

Originally created by @ntimo on GitHub (Nov 14, 2019). Hello, first off awesome project. I just took a look at the official bitwarden API and saw that it has a rate limit. I would like suggest to add a rate limit too. It should probably use the same headers like the official one: ``` x-rate-limit-limit: 1m x-rate-limit-remaining: 199 x-rate-limit-reset: 2019-11-13T22:48:01.3005818Z ``` What do you think about that? Maybe the limit could also be made configurable using a environment variable.

OVERLORD closed this issue

2026-02-04 21:10:51 +03:00

OVERLORD commented

2026-02-04 21:10:57 +03:00

@dani-garcia commented on GitHub (Nov 14, 2019):

So far we've intentionally kept out of this space because it's reasonably easy to do with external tools while it could be quite complex to implement correctly and at the same time it would require a lot of configurability because no one wants the exact same setup. For example, someone might prefer to only ratelimit the login endpoint, or apply different limits to loggedin users vs anonymous users, someone might want to ban the users after the limit is reached, others might want to block them for a certain time, someone could want more restrictive limits for some IP range or more relaxed for the local LAN...

Personally I wouldn't mind some basic ratelimiting being built in, but a more robust solution would be to create documentation on how to integrate bitwarden_rs with the rate limiting of third party proxies or firewalls.

@dani-garcia commented on GitHub (Nov 14, 2019): So far we've intentionally kept out of this space because it's reasonably easy to do with external tools while it could be quite complex to implement correctly and at the same time it would require a lot of configurability because no one wants the exact same setup. For example, someone might prefer to only ratelimit the login endpoint, or apply different limits to loggedin users vs anonymous users, someone might want to ban the users after the limit is reached, others might want to block them for a certain time, someone could want more restrictive limits for some IP range or more relaxed for the local LAN... Personally I wouldn't mind some basic ratelimiting being built in, but a more robust solution would be to create documentation on how to integrate bitwarden_rs with the rate limiting of third party proxies or firewalls.

OVERLORD commented

2026-02-04 21:11:02 +03:00

@BlackDex commented on GitHub (Oct 9, 2020):

To keep the issue tracker more focused, I'm closing this issue in favor of the meta issue at #246

@BlackDex commented on GitHub (Oct 9, 2020): To keep the issue tracker more focused, I'm closing this issue in favor of the meta issue at #246

OVERLORD referenced this issue

2026-02-05 04:56:56 +03:00

[PR #868] [MERGED] Add backend support for alternate base dir (subdir/subpath) hosting #2781

Sign in to join this conversation.