Description
The application currently exposes the /api/og/heist dynamic image generation route and the /api/webhooks/github route without application-level rate limiting. Because the OG image generation relies on the Edge runtime and resource-intensive image computation, it is susceptible to resource exhaustion attacks. Similarly, webhook endpoints currently process all incoming requests, creating a vector for spam-based compute/DB usage.
Proposed Solution
1 Infrastructure: Integrate @upstash/ratelimit with a Redis backend.
2 Middleware: Implement IP-based rate limiting in middleware.ts for all /api/og/* routes (Threshold: 20 req/min).
3 API Level: Implement repository-ID-based rate limiting in the GitHub webhook route to prioritize valid CI/CD event processing.
Description
The application currently exposes the
/api/og/heistdynamic image generation route and the/api/webhooks/githubroute without application-level rate limiting. Because the OG image generation relies on the Edge runtime and resource-intensive image computation, it is susceptible to resource exhaustion attacks. Similarly, webhook endpoints currently process all incoming requests, creating a vector for spam-based compute/DB usage.Proposed Solution
1 Infrastructure: Integrate @upstash/ratelimit with a Redis backend.
2 Middleware: Implement IP-based rate limiting in middleware.ts for all /api/og/* routes (Threshold: 20 req/min).
3 API Level: Implement repository-ID-based rate limiting in the GitHub webhook route to prioritize valid CI/CD event processing.