Developer finds site advertised rate limits for months with no enforcement code
A developer discovered that their Cloudflare Worker had been sending RateLimit headers on every response, promising a cap of 100 requests per 60 seconds, while no actual limiting logic existed anywhere in the codebase. The flaw meant no 429 responses were ever returned, and any well-behaved automated agent trusting those headers would have unnecessarily throttled itself against a non-existent limit. The bug surfaced during an internal audit while the developer was preparing answers to tough questions about the site's own agent-readiness standards. A fix was implemented using Cloudflare's Workers rate limiting binding, keyed to client IP, which now enforces the same 100-requests-per-60-seconds limit the headers had long advertised. The developer noted a key limitation: because the site has no accounts or logins, IP-based keying is the only option, meaning multiple users sharing a proxy or NAT address share a single request budget.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in