Skip to content

Add rate limiting and access restrictions to Alert API endpoints #28

Description

@xoth42

The alert-api FastAPI service is exposed to the internet via /alerts/api/, and all authentication is handled in-app against Grafana credentials with no rate limiting or lockout. An attacker can brute-force passwords or hammer auth endpoints.

Mitigations:

  • Add per-IP rate limiting to /alerts/api/* endpoints. This can be achieved in Caddy (recommended) or via FastAPI middleware.
  • Consider restricting /alerts/api/ public binding unless truly needed—prefer a VPN for remote access.

Action Items:

  • Implement reasonable per-IP rate limits for alert-api endpoints.
  • Update documentation to clarify why direct public exposure is risky.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions