Skip to content

Rate Limiter

INFO

This functionality is available starting with Shopware 6.4.6.0.

Overview

Shopware 6 provides certain rate limits by default that reduces the risk of brute-force attacks for pages like login or password reset.

These rate limiters are always active. You do not need to add the shopware.api.rate_limiter map to your shopware.yml for them to work. The core already ships with the defaults documented below, and the shopware.yml is only used to override them (for example, to raise a limit or disable a limiter).

Default rate limiters

The following limiters are enabled by default. The values listed here reflect the current Shopware core configuration and may change between versions. When in doubt, the source of truth is src/Core/Framework/Resources/config/packages/shopware.yaml in the version you are running.

LimiterProtectsSincePolicyResetLimits
loginStorefront / Store-API customer authentication6.4.6.0time_backoff24 hours10 / 10s, 15 / 30s, 20 / 60s
guest_loginStorefront / Store-API after-order guest authentication6.4.6.0time_backoff24 hours10 / 10s, 15 / 30s, 20 / 60s
oauthAPI OAuth authentication / Administration login6.4.6.0time_backoff24 hours10 / 10s, 15 / 30s, 20 / 60s
reset_passwordStorefront / Store-API customer password reset6.4.6.0time_backoff24 hours3 / 30s, 5 / 60s, 10 / 90s
user_recoveryAdministration user password recovery6.4.6.0time_backoff24 hours3 / 30s, 5 / 60s, 10 / 90s
contact_formStorefront / Store-API contact form6.4.6.0time_backoff24 hours3 / 30s, 5 / 60s, 10 / 90s
notificationStore-API notification endpoint6.4.8.0time_backoff24 hours10 / 10s, 15 / 30s, 20 / 60s
newsletter_formStore-API newsletter registration6.4.16.0time_backoff24 hours3 / 30s, 5 / 60s, 10 / 90s
cart_add_line_itemAdding line items to the cart6.4.18.0system_config1 hourLimit read from core.cart.lineItemAddLimit, interval 60s
revocation_request_formStore-API revocation request form6.7.9.0time_backoff24 hours3 / 30s, 5 / 60s, 10 / 90s
newsletter_unsubscribe_formStore-API newsletter unsubscribe6.7.9.0time_backoff24 hours3 / 30s, 5 / 60s, 10 / 90s
app_shop_verifyApp shop registration verification6.7.9.0sliding_windown/a60 / 60min
mcp_admin_apiMCP server Admin API access (keyed per OAuth token)6.8.0.0time_backoff1 hour300 / 60s, 1000 / 10min
mcp_store_apiMCP server Store API access (keyed per sales-channel context token)6.8.0.0time_backoff1 hour120 / 60s, 600 / 10min

In the table above, Limits uses the limit / interval notation, and s / min are seconds / minutes. When you add a new default limiter to the core, add a row here with its introduction version so this table stays complete.

Configuration

The configuration for the rate limiter of Shopware 6 resides in the general bundle configuration:

text
<shop root>
└── config
   └── packages
      └── shopware.yml

To override the default rate limiters for your shop, you need to add the shopware.api.rate_limiter map to the shopware.yml. Under this key, you can separately define each rate limiter. Any key you set is merged into the defaults, so you only need to configure the values you want to change.

The following example disables the login limiter and overrides the oauth limiter:

yaml
shopware:
  api:
    rate_limiter:
      login:
        enabled: false
      oauth:
        enabled: true
        policy: 'time_backoff'
        reset: '24 hours'
        limits:
          - limit: 3
            interval: '10 seconds'
          - limit: 5
            interval: '60 seconds'

INFO

The following optional limiters are available starting with Shopware 6.7.10.0.

  • login_user: Storefront / Store-API customer authentication per email address, regardless of IP.
  • login_client: Storefront / Store-API customer authentication per IP address, regardless of email.
  • oauth_user: API oauth authentication / Administration login per username, regardless of IP.
  • oauth_client: API oauth authentication / Administration login per IP address, regardless of username.

Configuring time backoff policy

The time_backoff policy is built by Shopware itself. It enables you to throttle the request in multiple steps with different waiting times. Below you can find an example which throttles the request for 10 seconds after 3 requests and starting from 5 requests it always throttles for 60 seconds. If there are no more requests, it will be reset after 24 hours.

yaml
example_route:
    enabled: true
    policy: 'time_backoff'
    reset: '24 hours'
    limits:
        - limit: 3
          interval: '10 seconds'
        - limit: 5
          interval: '60 seconds'
Was this page helpful?
UnsatisfiedSatisfied
Be the first to vote!
0.0 / 5  (0 votes)