Rate limiter

Outline includes an optional rate limiter that can be enabled for increased protection against outside brute-force attacks if your installation is facing the public internet.

Once enabled, the rate limiter has sensible defaults for sensitive endpoints such as mutations and also includes a global IP-based rate limiter that applies to all endpoints and can be configured manually with the following environment variables:

Configuration

# To enable the limiter set to true (default disabled)
RATE_LIMITER_ENABLED=true

# The window duration in seconds – it is recommended to leave this at 60.
RATE_LIMITER_DURATION_WINDOW=60

# The number of requests per-IP in the set window. In this example 1000 API requests/minute/ip.
RATE_LIMITER_REQUESTS=1000