Results page hits ~8-10 /api/* endpoints per estimate, tripping the per-IP rate-limit (was 90/60s) and 429'ing trusted pilots behind Caddy basic_auth. Requests carrying X-Authenticated-User (injected by Caddy) now bypass the limiter; anonymous traffic stays throttled. Limit/window are env-configurable (RATE_LIMIT default 90->300, RATE_LIMIT_WINDOW_S=60). Closes #655 |
||
|---|---|---|
| .. | ||
| app | ||
| data/sql | ||
| scripts | ||
| tests | ||
| .dockerignore | ||
| Dockerfile | ||
| pyproject.toml | ||