Categories
Developer Resources

The Store API Now Supports Rate Limiting

Popular stores can become the targets of malicious actors. One example of known abusive patterns is making many requests in a very short timeframe to try to overwhelm the store.

To counter such situations, the Store API now provides a rate limiting function — starting with WooCommerce Blocks 8.9.0, released on November 8th. When enabled, it will protect the block-based checkout process and all requests to the /cart and /product endpoints. This feature will land in WooCommerce 7.2 on December 13th, 2022.

Rate limiting is opt-in and is intended for advanced merchants and platforms.

Enabling Rate Limiting

Developers can enable rate limiting using the woocommerce_store_api_rate_limit_options filter. Limiting is based on user ID for registered users and IP address for guest users.

add_filter( 'woocommerce_store_api_rate_limit_options', function() {
    return [
        'enabled' => false, // enables/disables Rate Limiting. Default: false
        'proxy_support' => false, //enables/disables Proxy support. Default:false
        'limit' => 25, // limit of request per timeframe. Default: 25
        'seconds' => 10, // timeframe in seconds. Default: 10
    ];
} );

With this configuration, the Store API will block requests from a user ID or IP address if they’ve sent 25 requests or more within 10 seconds or less. The limit will be reset once the timeframe has expired.

Those defaults — 25 requests and 10 seconds — can be adjusted in the filter.

Supporting Proxies and Load Balancers

Like any mechanism that restricts usage to counter potential abuse of an API, this is a sensitive feature that should be used carefully.

In a scenario where a store is behind another service layer (a proxy, load balancer, etc.), the developer should enable standard proxy support through the woocommerce_store_api_rate_limit_options filter. Otherwise rate limiting might be wrongly triggered and group-limit requests.

For the proxy_support option to work properly, service layers must be passing the originating IP through standard IP forwarding headers, namely:

  • X_REAL_IP | CLIENT_IP: Custom popular implementations that simplify obtaining the origin IP for the request.
  • X_FORWARDED_FOR: The de-facto standard header for identifying the originating IP, see documentation here.
  • X_FORWARDED: Documentation hereRFC 7239.

Tracking Abuses

Developers can use the woocommerce_store_api_rate_limit_exceeded action to track and handle instances of API abuse:

add_action(
    'woocommerce_store_api_rate_limit_exceeded',
    function ( $offending_ip ) { /* Custom tracking implementation */ }
);

For a more in-depth description of this feature, please take a look at the complete documentation here.

We welcome suggestions and issues in the WooCommerce Blocks repository on GitHub, so don’t miss out on the chance to help us improve this!

By Paulo Arromba

Software Engineer @Automattic

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.