From d05da7d39bede97a46871425bf69c82a2ad5b165 Mon Sep 17 00:00:00 2001 From: Zach Millman Date: Fri, 12 Jul 2013 14:19:45 -0700 Subject: [PATCH 1/3] Explain why Rack::Attack returns 503 instead of 429 in README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 585bc78..cb65603 100644 --- a/README.md +++ b/README.md @@ -186,6 +186,8 @@ For responses that did not exceed a throttle limit, Rack::Attack annotates the e request.env['rack.attack.throttle_data'][name] # => { :count => n, :period => p, :limit => l } ``` +Note that Rack::Attack uses 503 Service Unavailable by default instead of 429 Too Many Requests for throttling because it may make attacker think that they have successfully DOSed the site. + ## Logging & Instrumentation Rack::Attack uses the [ActiveSupport::Notifications](http://api.rubyonrails.org/classes/ActiveSupport/Notifications.html) API if available. From 8a0fd35880509a95896e5897395746fc71669b7b Mon Sep 17 00:00:00 2001 From: Zach Millman Date: Fri, 12 Jul 2013 14:45:59 -0700 Subject: [PATCH 2/3] Fix response status comment for README --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cb65603..03c19cf 100644 --- a/README.md +++ b/README.md @@ -165,6 +165,8 @@ Customize the response of blacklisted and throttled requests using an object tha ```ruby Rack::Attack.blacklisted_response = lambda do |env| + # Using 503 because it may make attacker think that they have successfully + # DOSed the site, Rack::Attack returns 401 for blacklists by default [ 503, {}, ['Blocked']] end @@ -176,6 +178,8 @@ Customize the response of blacklisted and throttled requests using an object tha env['rack.attack.match_data'] ].inspect + # Using 503 because it may make attacker think that they have successfully + # DOSed the site, Rack::Attack returns 401 for blacklists by default [ 503, {}, [body]] end ``` @@ -186,8 +190,6 @@ For responses that did not exceed a throttle limit, Rack::Attack annotates the e request.env['rack.attack.throttle_data'][name] # => { :count => n, :period => p, :limit => l } ``` -Note that Rack::Attack uses 503 Service Unavailable by default instead of 429 Too Many Requests for throttling because it may make attacker think that they have successfully DOSed the site. - ## Logging & Instrumentation Rack::Attack uses the [ActiveSupport::Notifications](http://api.rubyonrails.org/classes/ActiveSupport/Notifications.html) API if available. From 8ff22a17f983bb8af3ce114a7dbfcccb84d12c49 Mon Sep 17 00:00:00 2001 From: Zach Millman Date: Fri, 12 Jul 2013 14:49:29 -0700 Subject: [PATCH 3/3] Fix typo 401 -> 429 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 03c19cf..610aa08 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,7 @@ Customize the response of blacklisted and throttled requests using an object tha ```ruby Rack::Attack.blacklisted_response = lambda do |env| # Using 503 because it may make attacker think that they have successfully - # DOSed the site, Rack::Attack returns 401 for blacklists by default + # DOSed the site. Rack::Attack returns 401 for blacklists by default [ 503, {}, ['Blocked']] end @@ -179,7 +179,7 @@ Customize the response of blacklisted and throttled requests using an object tha ].inspect # Using 503 because it may make attacker think that they have successfully - # DOSed the site, Rack::Attack returns 401 for blacklists by default + # DOSed the site. Rack::Attack returns 429 for throttling by default [ 503, {}, [body]] end ```