From dc7277a8f67e875f61f7057b79a763d5795c4a34 Mon Sep 17 00:00:00 2001 From: dblythy Date: Fri, 14 Apr 2023 13:53:24 +1000 Subject: [PATCH 1/5] feat: add rate limit docs --- _includes/common/security.md | 59 ++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/_includes/common/security.md b/_includes/common/security.md index fb3a447c..23b00c93 100644 --- a/_includes/common/security.md +++ b/_includes/common/security.md @@ -562,6 +562,65 @@ Parse.Cloud.define("like", async request => { One very common use case for Cloud Code is sending push notifications to particular users. In general, clients can't be trusted to send push notifications directly, because they could modify the alert text, or push to people they shouldn't be able to. Your app's settings will allow you to set whether "client push" is enabled or not; we recommend that you make sure it's disabled. Instead, you should write Cloud Code functions that validate the data to be pushed and sent before sending a push. +## Rate Limiting + +* Available only on parse-server starting 6.0.0 * + +It's important to restrict how often a client can call Parse Server, to prevent a malicious client from brute forcing an endpoint. + +Rate limits can be defined by setting the Parse Server Option rateLimit, or by specifying a rateLimit object on a cloud function validator. + +The valid options for a rate limit are: + +- `requestPath`: The path of the API route to be rate limited. +- `requestMethods`: Optional, the HTTP request methods to be rate limited. +- `requestTimeWindow`: The window of time in milliseconds within which the number of requests set in `requestCount` can be made before the rate limit is applied. +- `requestCount`: The number of requests that can be made per IP address within the time window set in `requestTimeWindow` before the rate limit is applied. +- `errorResponseMessage`: The error message that should be returned in the body of the HTTP 429 response when the rate limit is hit. Default is `Too many requests.`. +- `includeInternalRequests`: Optional, whether the rate limit will also apply to requests that are made in by Cloud Code. +- `includeMasterKey`: Optional, whether the rate limit will also apply to requests using the `masterKey` +- `redisUrl` Optional, the URL of the Redis server to store rate limit data. + +To specify a server-wide rate limit of 200 requests per 15 minute window: + +```js +const parseServer = new ParseServer({ + rateLimit: { + requestPath: '*', + requestTimeWindow: 15 * 60 * 1000, + requestCount: 200, + }, +}); +``` + +Multiple rate limits can be defined for + +To specify a cloud function specific rate limit of 3 request per hour: + +```js +Parse.Cloud.define('someFunction', () => { + return 'Hello world'; +}, { + rateLimit: { + requestTimeWindow: 60 * 60 * 1000, + requestCount: 3, + } +}); +``` + +Rate limits can also be applied to `beforeSave` triggers to restrict how often a given class is written to: + +```js +Parse.Cloud.beforeSave('TestObject', () => {}, { + rateLimit: { + requestTimeWindow: 1 * 60 * 1000 // one write per minute,, + requestCount: 1, + errorResponseMessage: 'Too many requests!', + }, +}); +``` + + ## Parse Security Summary Parse provides a number of ways for you to secure data in your app. As you build your app and evaluate the kinds of data you will be storing, you can make the decision about which implementation to choose. From 26fb47c719e97b28e46d186c0acc5920132bfa0b Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 25 May 2023 14:15:19 +1000 Subject: [PATCH 2/5] Update _includes/common/security.md Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com> --- _includes/common/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/common/security.md b/_includes/common/security.md index 23b00c93..c931cccd 100644 --- a/_includes/common/security.md +++ b/_includes/common/security.md @@ -564,7 +564,7 @@ One very common use case for Cloud Code is sending push notifications to particu ## Rate Limiting -* Available only on parse-server starting 6.0.0 * +* Available on Parse Server >=6.0.0 * It's important to restrict how often a client can call Parse Server, to prevent a malicious client from brute forcing an endpoint. From fc588bf6df1b668fa2799f0419ed7f6b546fc3a4 Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 25 May 2023 14:15:27 +1000 Subject: [PATCH 3/5] Update _includes/common/security.md Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com> --- _includes/common/security.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/_includes/common/security.md b/_includes/common/security.md index c931cccd..f50db2f0 100644 --- a/_includes/common/security.md +++ b/_includes/common/security.md @@ -566,9 +566,12 @@ One very common use case for Cloud Code is sending push notifications to particu * Available on Parse Server >=6.0.0 * -It's important to restrict how often a client can call Parse Server, to prevent a malicious client from brute forcing an endpoint. +It's important to restrict how often a client can call the Parse Server API. This prevents malicious attacks that could: +- overwhelm server resources by exceeding expected API traffic +- collect large amounts of data ("data scraping") +- repeatedly guess passwords, object IDs, installation IDs or other data ("brute force") -Rate limits can be defined by setting the Parse Server Option rateLimit, or by specifying a rateLimit object on a cloud function validator. +Parse Sever offers a mechanism to enforce rate limits by setting the Parse Server option `rateLimit`, or by specifying a `rateLimit` object on a Cloud Function validator. The valid options for a rate limit are: From 1bea67d4303dc12ffaa579a46b0d07a9a338930e Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 25 May 2023 14:15:34 +1000 Subject: [PATCH 4/5] Update _includes/common/security.md Co-authored-by: Manuel <5673677+mtrezza@users.noreply.github.com> --- _includes/common/security.md | 1 + 1 file changed, 1 insertion(+) diff --git a/_includes/common/security.md b/_includes/common/security.md index f50db2f0..5d2be67f 100644 --- a/_includes/common/security.md +++ b/_includes/common/security.md @@ -623,6 +623,7 @@ Parse.Cloud.beforeSave('TestObject', () => {}, { }); ``` +> ⚠️ Rate limits should be enforced as far away from Parse Server as possible to mitigate possible impacts on resource costs, availability and integrity. While Parse Server offers a rate limiting mechanism as a conveniently available security feature without requiring a deep level of expertise, it is *not considered best practice* to enforce rate limits only after requests already reached the server. For better protection we advice to examine your network architecture an consider enforcing rate limits on the outer edge of the cloud if using a content delivery network, or at least before requests reach the server resource. Consult your cloud service provider for recommended rate limit and firewall solutions for your resources. ## Parse Security Summary From 5ea0ee1af0c0a8548541345d655dfdbc662b5b7d Mon Sep 17 00:00:00 2001 From: dblythy Date: Thu, 25 May 2023 14:16:50 +1000 Subject: [PATCH 5/5] Update security.md --- _includes/common/security.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/_includes/common/security.md b/_includes/common/security.md index 23b00c93..73c38fda 100644 --- a/_includes/common/security.md +++ b/_includes/common/security.md @@ -593,8 +593,6 @@ const parseServer = new ParseServer({ }); ``` -Multiple rate limits can be defined for - To specify a cloud function specific rate limit of 3 request per hour: ```js