Rate Limiter

Overview

Shopware 6 provides certain rate limits by default that reduces the risk of bruteforce attacks for pages like login or password reset.

Configuration

The configuration for the rate limiter of Shopware 6 resides in the general bundle configuration:
1
<shop root>
2
└── config
3
└── packages
4
└── shopware.yml
Copied!
To configure the default rate limiters for your shop you need to add the shopware.api.rate_limiter map to the shopware.yml. Under this key you can separately define the rate limiters.
In the following you can find a list of the default limiters:
    login: Storefront / Store-API customer authentication.
    guest_login: Storefront / Store-API after order guest authentication.
    oauth: API oauth authentication / Administration login.
    reset_password: Storefront / Store-API customer password reset.
    user_recovery: Administration user password recovery.
    contact_form: Storefront / Store-API contact form.
<shop root>/config/packages/shopware.yaml
1
shopware:
2
api:
3
rate_limiter:
4
login:
5
enabled: false
6
oauth:
7
enabled: true
8
policy: 'time_backoff'
9
reset: '24 hours'
10
limits:
11
- limit: 3
12
interval: '10 seconds'
13
- limit: 5
14
interval: '60 seconds'
Copied!

Configuring time backoff policy

The time_backoff policy is built by Shopware itself. It enables you to throttle the request in multiple steps with different waiting times. Below you can find an example which throttles the request for 10 seconds after 3 requests and starting from 5 requests it always throttles for 60 seconds. If there are no more requests, it will be reset after 24 hours.
<plugin root>/src/Resources/config/rate_limiter.yaml
1
example_route:
2
enabled: true
3
policy: 'time_backoff'
4
reset: '24 hours'
5
limits:
6
- limit: 3
7
interval: '10 seconds'
8
- limit: 5
9
interval: '60 seconds'
Copied!
Last modified 8d ago