Since this is now a feature request, I’m listing the options I’m looking forward:
- Rate limiter SC step
- Ability to select a custom key for the rate limiter through the data binding picker (e.g.: so I can pick something from $_SESSION, or the default $_SERVER.REMOTE_ADDR for regular IP address limiting)
- Ability to define window time (or equivalent) of the rate limiter (data binding picker)
- Ability to define max requests in window time (or equivalent) of the rate limiter (data binding picker)
- Ability to use Redis for rate-limiting (for distributed rate-limiting)
If it reduces complexity, we could skip the global rate limiter, because one could put a rate limiter in the Globals steps:
And one might want to use several rate limiting steps simultaneously (e.g.: IP address based, and then session based), and these should not void one another