← Back to PRs

#19515: security: add per-connection WebSocket rate limiting

by Mozzzaic open 2026-02-17 22:16 View on GitHub →
gateway size: M
Cluster: Security Enhancements and Fixes
## Summary - Add sliding window rate limiter for WebSocket connections (`ws-rate-limit.ts`) - Default limit: 100 messages per 10 seconds per connection - Warn client with JSON event before disconnecting on sustained abuse (3 warnings) - Integrate rate limiter into the WebSocket message handler - Configurable limits via `WsRateLimitConfig` ## Security Impact Prevents WebSocket flood attacks that could DoS the gateway server. Each connection is independently tracked. ## Test plan - [x] Unit tests for rate limiter logic (allow, block, sliding window, reset) - [x] Test warning count before disconnect - [x] Test default configuration (100 msg / 10s) - [x] Verify sliding window expiry <!-- greptile_comment --> <h3>Greptile Summary</h3> Added per-connection WebSocket rate limiting to prevent flood attacks. Each connection is independently tracked with a sliding window limiter (default: 100 messages per 10 seconds). The implementation includes: - New rate limiter module with configurable limits and automatic warning decay when traffic drops below 50% - Integration into WebSocket message handler that warns clients before disconnecting after 3 sustained violations - Comprehensive test coverage for core rate limiting logic The security improvement is sound and follows the existing patterns in the codebase (similar to `auth-rate-limit.ts`). The implementation correctly handles edge cases and uses an efficient sliding window algorithm. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The implementation follows established patterns in the codebase, includes comprehensive test coverage, and addresses a real security concern. The sliding window algorithm is correctly implemented with proper bounds checking, and the integration into the message handler is clean and non-invasive. No breaking changes or risky modifications to existing code. - No files require special attention <sub>Last reviewed commit: bf4113a</sub> <!-- greptile_other_comments_section --> <sub>(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!</sub> <!-- /greptile_comment -->

Most Similar PRs

#23714: Gateway: add websocket ingress limits for DoS hardening
by bmendonca3 · 2026-02-22
77.5%
#22766: fix(security): enable gateway auth rate limiting by default (CWE-307)
by brandonwise · 2026-02-21
75.0%
#16963: fix: enable auth rate limiting by default
by StressTestor · 2026-02-15
74.3%
#19255: feat(gateway): add WebSocket connection metrics monitoring
by Wike-CHI · 2026-02-17
74.2%
#13686: Add opt-in rate limiting and token-based budgets for external API c...
by ShresthSamyak · 2026-02-10
73.1%
#15603: fix(gateway): correct malformed HTTP 429 response on WebSocket upgrade
by AI-Reviewer-QS · 2026-02-13
71.3%
#16773: fix(security): OC-100 add rate limiting to pairing code verification
by aether-ai-agent · 2026-02-15
71.1%
#13679: feat(gateway): make WebSocket maxPayload configurable
by andydoucet · 2026-02-10
70.9%
#21136: fix(security): harden agent autonomy controls
by novalis133 · 2026-02-19
70.5%
#10745: feat: Security improvements and Windows compatibility fixes
by lluviaoscuradeldoce-design · 2026-02-06
70.4%