Issue
- How to prevent users from submitting a form too frequently (e.g., more than 10 times in 10 seconds) in a custom MVC portlet.
Environment
- Liferay DXP 7.4
Resolution
Configure rate limiting directly in the Apache web server. Liferay DXP itself does not provide this functionality.
Use the mod_ratelimit module (or similar modules like mod_security) within the Apache configuration. For example:
<Location "/submit-form"> SetOutputFilter RATE_LIMIT SetEnv rate-limit 10 SetEnv rate-initial-burst 512 </Location>
Explanation:
-
<Location "/submit-form">: This directive specifies the URL path to which the rate-limiting rule applies. Replace/submit-formwith the actual URL of the form submission. If the form is handled by an MVC portlet, this will be the URL that triggers the portlet action. -
SetOutputFilter RATE_LIMIT: This line activates the rate-limiting filter. -
SetEnv rate-limit 10: This sets the maximum number of requests allowed per IP address within the specified time window. In this example, it's 10 requests. -
SetEnv rate-initial-burst 512: This setting allows an initial burst of requests above the rate limit (useful for handling legitimate bursts of activity). The value is in bytes adjust it as needed.
Configuration of Location and Multiple Pages:
- Add these configuration lines to your main Apache configuration file (e.g.,
/etc/apache2/apache2.confor/etc/httpd/httpd.conf, or a separate file included by the main configuration). The exact location depends on the Apache setup. - To apply rate limiting to multiple pages, repeat the entire
<Location>block for each URL, replacing/submit-formwith the appropriate path.
Additional Information