Rate Limiting

All API endpoints are rate-limited to protect against abuse. Controlinfra uses tiered rate limits based on endpoint sensitivity, with Redis-backed distributed limiting for multi-instance deployments.

Response Headers

Every response includes standard rate limit headers:

Header	Description
`RateLimit-Limit`	Maximum number of requests in the current window
`RateLimit-Remaining`	Number of requests remaining in the current window
`RateLimit-Reset`	Seconds until the rate limit window resets

Rate Limit Tiers

Standard API

Limit: 1,000 requests per 15 minutes per IP

Applies to all general API endpoints.

json

{
  "error": "Too many requests",
  "code": "RATE_LIMIT_EXCEEDED",
  "message": "Too many requests from this IP, please try again later.",
  "retryAfter": 900
}

Authentication

Limit: 50 requests per 15 minutes per IP

Applies to login, register, and password reset endpoints. Counts all requests (not just failures) to prevent timing attacks.

Fail-Closed

If the rate limit store (Redis) is unavailable, authentication rate limiting will reject requests with a 503 rather than allowing them through. This prevents brute-force attacks during outages.

Scan Triggering

Limit: 10 requests per minute per IP

Applies to scan trigger endpoints to prevent resource abuse.

Runner Communication

Limit: 120 requests per minute per runner

Applies to heartbeat, job polling, and job status endpoints. Keyed by the last 8 characters of the runner token (not IP) so multiple runners behind a NAT can each hit their own limit.

Strict Operations

Limit: 5 requests per hour per IP

Applies to sensitive operations like token regeneration. Fail-closed on Redis outage.

Credential Access

Limit: 60 requests per hour per IP (production) / 200 (development)

Applies to credential retrieval endpoints. Fail-closed on Redis outage.

User-Based

Limit: 500 requests per 15 minutes per authenticated user

Applies to authenticated endpoints, keyed by user ID rather than IP. Skipped for unauthenticated requests.

Form Submissions

Limit: 10 requests per 15 minutes per IP

Applies to public form endpoints (demo requests, career applications).

Limit: 150 requests per minute per user

Applies to analytics/navigation tracking endpoints.

Rate Limit Exceeded

When a rate limit is exceeded, the API returns HTTP 429 Too Many Requests:

json

{
  "error": "Too many requests",
  "code": "RATE_LIMIT_EXCEEDED",
  "message": "Too many requests from this IP, please try again later.",
  "retryAfter": 900
}

The retryAfter field indicates the number of seconds to wait before retrying.

Resilience

Rate limiters use Redis when available for distributed limiting across multiple server instances. If Redis is unavailable:

Fail-open endpoints (most endpoints): Requests are allowed through with in-memory limiting
Fail-closed endpoints (auth, credentials, strict): Requests are rejected with HTTP 503 to prevent abuse during outages

Rate Limiting ​

Response Headers ​

Rate Limit Tiers ​

Standard API ​

Authentication ​

Scan Triggering ​

Runner Communication ​

Strict Operations ​

Credential Access ​

User-Based ​

Form Submissions ​

Navigation Tracking ​

Rate Limit Exceeded ​

Resilience ​