ps2026 4 hours ago

Actually no, I'm rate limiting per individual IP address right now. Good catch... I should probably normalize IPv6 to /64. I was originally thinking about not blocking universities or large groups that share IPs, but I guess that is more of an IPv4 NAT concern. Thanks for pointing it out! I didn't really think about a user rotating through IPs. I didn't add the rate limiting on voting until I removed the fingerprint, so that is for sure a valid concern.

Reply View 2 replies
  • 1e1a 4 hours ago

    It could make sense to lightly rate limit at /48 in addition to /64 (this is generally the largest subnet size given out by ISPs), otherwise it will be easy for people to multiply your /64 rate limit by 65536.

    Reply View 1 reply
    • ps2026 4 hours ago

      Hey thanks for the recommendation. That makes sense. Layered rate limiting at both /64 and /48 with different thresholds. Appreciate the explanation, and I'll be adding this to the list! This is my first time dealing with a public facing app where this type of rate limiting is needed.

      Reply View 0 replies