Endpoint-Based Rate Limits
Introduction
This page provides a comprehensive explanation of Ory's Endpoint-Based Rate Limiting. These limits are designed to fortify the security of your Ory project endpoints by mitigating common attack vectors such as brute-force and credential stuffing attempts, while allowing for flexibility for high-volume legitimate traffic from trusted sources.
What are Endpoint-Based Rate Limits?
Endpoint-Based Rate Limits are precise controls applied to individual API endpoints within your Ory projects. Unlike Project-Based Rate Limits, which govern overall project request volumes, Endpoint-Based Rate Limits focus on safeguarding specific functionalities against abuse.
How Endpoint-Based Rate Limits Work
These limits act as a first line of defense for your project endpoints. They analyze incoming request patterns and consider factors such as:
- Source IP Address: Identifies and potentially blocks requests originating from suspicious sources or those exhibiting behavior indicative of malicious activity.
- Request Frequency: Monitors how often requests are made to a specific endpoint to detect and thwart attempts to overwhelm the system or exploit vulnerabilities.
- User Authentication: (If applicable) Considers whether requests are authenticated and may apply different limits for authenticated vs. unauthenticated requests.
- Request Method: May apply different limits based on the HTTP method used (GET, POST, etc.).
- IP Whitelist Status: Applies higher limits to whitelisted IPs for Enterprise and Growth customers.
Benefits of Endpoint-Based Rate Limiting
Purpose
Ory implements Endpoint-Based Rate Limits to proactively secure individual endpoints and protect against common attack vectors like brute-force and credential stuffing, while allowing for higher volumes of legitimate traffic from trusted sources. These types of attacks typically involve numerous attempts to guess credentials or exploit vulnerabilities, often originating from a limited set of IP addresses.
Key Benefits
-
Enhanced Security:
- Restricts the number of requests from specific sources within a given timeframe.
- Makes it significantly harder for attackers to succeed with brute-force or credential stuffing attacks.
- Strengthens the security of your Ory projects and protects sensitive user data.
-
Protection Against Malicious Bots:
- Differentiates between genuine user traffic and potentially harmful bot activity.
- Analyzes request patterns to identify and block automated malicious activities.
-
Safeguarding Specific Endpoints:
- Offers granular control over how each endpoint handles traffic and responds to potential threats.
- Allows fine-tuning of security measures for individual endpoints.
- Optimizes protection without compromising the user experience.
-
Fair Usage:
- Complements Project-Based Rate Limits in ensuring fair resource allocation.
- Contributes to a fairer and more stable platform for all users by mitigating abusive traffic.
-
Flexibility for High-Volume Legitimate Traffic:
- Provides options for Enterprise and Growth customers to whitelist internal IPs for higher rate limits.
- Balances security needs with the requirements of high-volume legitimate traffic.
Important Notes on Rate Limit Rules
Rule Management
The Endpoint-Based Rate Limit rules are set and managed by Ory. These rules are not directly configurable by Enterprise and Growth customers yet.
IP Whitelisting for Enterprise and Growth Customers
Enterprise and Growth Customers have the option to whitelist internal IPs. This feature is designed for cases where these IPs generate high volumes of legitimate calls that might otherwise trigger rate-limit rules.
- Whitelisted IPs are subject to the same rule structure but with higher limits.
- To whitelist IPs, please create a support ticket with Ory.
- This feature ensures that necessary high-volume traffic from trusted sources is not interrupted while maintaining strong security measures.
List of Rate Limit Rules
This section will be populated later with detailed documentation of the rules set by Ory, including information on standard limits and higher limits for whitelisted IPs.