express-limiter icon indicating copy to clipboard operation
express-limiter copied to clipboard
verified publisher icon ded

why is emitting headers the default? That's a security hole

Open pszabop opened this issue 8 years ago • 0 comments

skipHeaders defaults to false.

This means the entire world is getting these headers, which exposes internal implementation details and is thus a security flaw:

X-RateLimit-Limit: 20
X-RateLimit-Remaining: 19
X-RateLimit-Reset: 1510250052
X-Request-Id: da62f2a0-c576-11e7-b7fc-89bce46f8f85

Please consider changing the default in the next major release.

See this article about unnecessary exposure of implementation details.

pszabop avatar Nov 09 '17 18:11 pszabop