In Rate limiting (Part 🌍 of 2) I introduced rate limits for logins and registrations. These limits were “global”: Shmeppy will only allow a certain number of logins/registrations from its entire user base within a certain timespan.
I’ve now introduced a second set of rate limits for each IP address. These limits are lower, and should help prevent the global rate limits from triggering in the event of a basic attack against Shmeppy.
This pair of rate limiting updates should not affect any of ya’ll. They’re tuned such that they should never trigger outside of an actual attack on Shmeppy (ie: the limits are quite high). But now Shmeppy is just a bit more secure .