homelab/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2026-06-23 04:10:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c072fd657dcc5139327a0660566d84fefec41450
hedgedoc/docs/content/references/config/security.md
T
Erik Michelson c072fd657d fix(rate-limit): increase auth limit defaults 
This is a moderate increase from about 2 req/minute to 2.6 req/minute
with an increase of the window to 15 minutes. Switching between
accounts a few times should be covered by the higher rate limit.
At the same time, the window increase reduces the attack/abuse chance
again.

Fixes #6471

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2026-05-13 23:06:02 +02:00

2.8 KiB
Raw Blame History

Security

This page describes security-related configuration options for HedgeDoc.

Rate Limiting

HedgeDoc implements rate limiting to protect against abuse and brute-force attacks. Rate limiting applies different limits based on the authentication level and endpoint type.

  1. Public API: For requests to the public API using a valid API-token
  2. Authenticated: For requests to the app by logged-in users
  3. Unauthenticated: For requests to the app or API by unauthenticated users or guests
  4. Auth: For requests to the auth endpoints (login, register, etc.)

Rate limits are tracked differently based on authentication state:

  • Authenticated requests (session or API token): Tracked per user ID
  • Unauthenticated requests: Tracked per IP address

When a rate limit is exceeded, the server responds with the HTTP 429 status code and includes information about the limit and when to retry in the headers X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, and Retry-After.

Configuration

Each rate limit tier can be configured with two values:

  • *_MAX: Maximum number of requests allowed
  • *_WINDOW: Time window in seconds for the limit

Setting a *_MAX value to 0 effectively disables rate limiting for that tier (not recommended for production).

environment variable default description
HD_SECURITY_RATE_LIMIT_PUBLIC_API_MAX 150 Number of maximum requests for the public API with auth token
HD_SECURITY_RATE_LIMIT_PUBLIC_API_WINDOW 300 Time window in seconds for public API limit
HD_SECURITY_RATE_LIMIT_AUTHENTICATED_MAX 900 Maximum requests for authenticated usage
HD_SECURITY_RATE_LIMIT_AUTHENTICATED_WINDOW 300 Time window in seconds for authenticated usage
HD_SECURITY_RATE_LIMIT_UNAUTHENTICATED_MAX 100 Maximum requests for unauthenticated usage
HD_SECURITY_RATE_LIMIT_UNAUTHENTICATED_WINDOW 300 Time window in seconds for unauthenticated usage
HD_SECURITY_RATE_LIMIT_AUTH_MAX 40 Maximum of auth request attempts
HD_SECURITY_RATE_LIMIT_AUTH_WINDOW 900 Time window in seconds for auth request attempts
HD_SECURITY_RATE_LIMIT_BYPASS none Bypass rate limiting for these IP addresses (comma-separated list)
Reference in New Issue View Git Blame Copy Permalink