encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-11-04 01:47:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Throttling disclaimer (#8403)

Browse Source 
* Throttling disclaimer

* Expand throttling disclaimer.
This commit is contained in:
Tom Christie 2022-03-11 10:58:59 +00:00 committed by GitHub
parent a53e523f93
commit 0e3bc2b1e0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/api-guide/throttling.md
View File

@ -19,6 +19,8 @@ Multiple throttles can also be used if you want to impose both burst throttling
Throttles do not necessarily only refer to rate-limiting requests. For example a storage service might also need to throttle against bandwidth, and a paid data service might want to throttle against a certain number of a records being accessed. Throttles do not necessarily only refer to rate-limiting requests. For example a storage service might also need to throttle against bandwidth, and a paid data service might want to throttle against a certain number of a records being accessed.
**The application-level throttling that REST framework provides should not be considered a security measure or protection against brute forcing or denial-of-service attacks. Deliberately malicious actors will always be able to spoof IP origins, and application-level throttling is intended for implementing policies such as different business tiers and basic protections against service over-use.**
## How throttling is determined ## How throttling is determined
As with permissions and authentication, throttling in REST framework is always defined as a list of classes. As with permissions and authentication, throttling in REST framework is always defined as a list of classes.
@ -79,7 +81,7 @@ Throttle classes set in this way will override any viewset level class settings.
} }
return Response(content) return Response(content)
## How clients are identified ## How clients are identified
The `X-Forwarded-For` HTTP header and `REMOTE_ADDR` WSGI variable are used to uniquely identify client IP addresses for throttling. If the `X-Forwarded-For` header is present then it will be used, otherwise the value of the `REMOTE_ADDR` variable from the WSGI environment will be used. The `X-Forwarded-For` HTTP header and `REMOTE_ADDR` WSGI variable are used to uniquely identify client IP addresses for throttling. If the `X-Forwarded-For` header is present then it will be used, otherwise the value of the `REMOTE_ADDR` variable from the WSGI environment will be used.