Some Action API modules proxy data from another API (e.g. ORES, Pageviews). Such modules should forward the request IP and user agent when making requests to the upstream API so client throttling / banning can be properly done upstream. For IP, this probably means setting X-Forwarded-For (and it would be the upstream's responsibility to have a whitelist of what sources to trust XFF from); for the user agent, maybe add an X-UA-Original header?
|Resolved||Ladsgroup||T148997 Implement parallel connection limit for querying ORES|
|Resolved||Ladsgroup||T137962 [Spec] Tracking and blocking specific IP/user-agent combinations|
|Resolved||Tgr||T161029 Forward request data in proxied Action API modules|