Rate limiter

Outline includes a rate limiter that is enabled by default for increased protection against outside brute-force attacks if your installation is facing the public internet.

The rate limiter has sensible defaults for sensitive endpoints such as mutations and also includes a global IP-based rate limiter that applies to all endpoints and can be configured manually with the following environment variables:

Configuration

# To disable the limiter set to false (default enabled)
RATE_LIMITER_ENABLED=false

# The window duration in seconds – it is recommended to leave this at 60.
RATE_LIMITER_DURATION_WINDOW=60

# The number of requests per-IP in the set window. In this example 1000 API requests/minute/ip.
RATE_LIMITER_REQUESTS=1000