Add rate-limiting to /api/contact to prevent spam
Task #11: Formular gegen Spam schützen - Installed `express-rate-limit` (^8.5.2) as a runtime dependency in `@workspace/api-server` - Created a rate limiter (5 requests per IP per hour, 1-hour sliding window) using `rateLimit()` from express-rate-limit - Applied the limiter as inline middleware on POST /contact so it runs before the handler - On limit exceeded the API returns HTTP 429 with a German-language JSON error: { success: false, message: "Zu viele Anfragen. Bitte versuchen Sie es in einer Stunde erneut." } - Uses `standardHeaders: "draft-8"` (RateLimit header group) and disables legacy X-RateLimit-* headers - Added `app.set("trust proxy", 1)` in app.ts so that Express reads the real client IP from X-Forwarded-For (set by Replit's reverse proxy), ensuring the rate limit is applied per actual client rather than per proxy IP - No other changes to the contact handler flow No deviations from the task description. Replit-Task-Id: de2cecbd-511f-4046-8e87-567ec96e19fb
This commit is contained in:
joachimhummel
@@ -17,6 +17,7 @@
|
||||
"cors": "^2.8.6",
|
||||
"drizzle-orm": "catalog:",
|
||||
"express": "^5.2.1",
|
||||
"express-rate-limit": "^8.5.2",
|
||||
"pino": "^9.14.0",
|
||||
"pino-http": "^10.5.0"
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user