rest gateway: for unauthenticated requests from wmcs, use the User_agent header as the rate limit key
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	daniel
	Nov 20 2025, 4:12 PM

Project Tags

Referenced Files

None

Subscribers

Description

All unauthenticated requests from WMCS would currently share a single rate limit counter, the one keyed on the IP address 172.16.19.172. To avoid this, we should use the user-agent string instead. This would also incentivise bots to adhere to the UA policy. The assumption is that we don't have malicious clients on WMCS that would send us randomized user agent strings.

Related Objects
Search...

Status	Assigned	Task
Open	None	T399291 Epic: API Rate Limiting Architecture
Open	None	T412585 Epic: Enforce API rate limits (WE5.1.3c)
Resolved	daniel	T398919 Epic: API rate limiting dry run (WE5.1.3b)
Resolved	daniel	T410658 rest gateway: for unauthenticated requests from wmcs, use the User_agent header as the rate limit key

Event Timeline

daniel created this task.Nov 20 2025, 4:12 PM

OWresch-WMF moved this task from Inbox, needs triage to Kanban Board on the MediaWiki-Platform-Team board.Nov 27 2025, 3:37 PM

OWresch-WMF edited projects, added: MediaWiki-Platform-Team (Kanban Board); removed: MediaWiki-Platform-Team.

daniel closed this task as Resolved.Dec 13 2025, 12:16 PM

daniel claimed this task.

rest gateway: for unauthenticated requests from wmcs, use the User_agent header as the rate limit keyClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

rest gateway: for unauthenticated requests from wmcs, use the User_agent header as the rate limit key
Closed, ResolvedPublic
Actions

Related Objects
Search...