保護DataHogo
Security Encyclopedia/Resource & Size Limits
mediumCWE-770A05:2021

No Global Rate Limiting

Without global rate limiting at the edge or middleware level, any endpoint can be flooded with requests until the server is overwhelmed.

How It Works

Per-endpoint rate limiting protects individual routes, but doesn't prevent a flood of requests to arbitrary endpoints — including non-existent ones that still go through your middleware stack. Global rate limiting at the reverse proxy (Nginx, Cloudflare, Vercel Edge) limits total requests per IP across all endpoints.

Vulnerable Code
// BAD: only some endpoints have rate limiting, no global protection
// login endpoint: rate limited
// password reset: rate limited
// /api/products: no rate limit
// /api/search: no rate limit
// Attacker floods /api/search with 50,000 requests/minute
Secure Code
// GOOD: global rate limiting in Next.js middleware
// middleware.ts
import { NextResponse } from 'next/server';
import { rateLimit } from '@/lib/rate-limit';

export async function middleware(req: Request) {
  const ip = req.headers.get('x-forwarded-for') ?? '127.0.0.1';
  const { success } = await rateLimit.check(60, ip); // 60 req/min global
  if (!success) return NextResponse.json({ error: 'Too many requests' }, { status: 429 });
  return NextResponse.next();
}

Real-World Example

The 2023 Cloudflare report documented that DDoS attacks increasingly target specific API endpoints rather than just HTTP flood attacks. Applications with no global rate limiting often have multiple unprotected API endpoints that serve as amplification vectors.

How to Prevent It

  • Implement global rate limiting in Next.js middleware, Nginx, or your reverse proxy layer
  • Set global limits (60 req/min for general endpoints, 10 req/min for auth) as a baseline
  • Use Cloudflare Rate Limiting Rules or similar edge-level protection for DDoS resilience
  • Monitor your rate limit hit rate — a sudden spike indicates an active attack or scanner

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No File Size Limit

medium

File upload endpoints without size limits allow attackers to exhaust disk space, memory, and CPU with multi-gigabyte uploads.

CWE-400A05:2021

No Request Body Limit

medium

JSON API endpoints without a body size limit can be DoS'd by sending huge JSON payloads that exhaust server memory during parsing.

CWE-400A05:2021

No Request Timeout

low

HTTP requests without server-side timeouts allow slow clients or malicious slow-body attacks to hold server connections open indefinitely.

CWE-400A05:2021

WebSocket Without Authentication

high

WebSocket endpoints that accept connections without verifying authentication allow unauthenticated users to receive real-time data streams meant for authenticated users.

CWE-306A01:2021