From e7136872eb6b154e74df0783d9231b7cd5478d11 Mon Sep 17 00:00:00 2001
From: Imants <imants.kokis@gmail.com>
Date: Sun, 9 Feb 2025 18:54:11 +0200
Subject: [PATCH] Potential fix for code scanning alert no. 14: Missing rate
 limiting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 frontend/package.json |  3 ++-
 frontend/server.js    | 11 +++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/frontend/package.json b/frontend/package.json
index f9449a1add..372be905a6 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -63,7 +63,8 @@
     "react-qr-code": "^2.0.12",
     "react-router-dom": "^6.11.2",
     "recharts": "2",
-    "sirv": "^2.0.4"
+    "sirv": "^2.0.4",
+    "express-rate-limit": "^7.5.0"
   },
   "devDependencies": {
     "@lingui/cli": "^4.7.0",
diff --git a/frontend/server.js b/frontend/server.js
index 9fa34d2c28..e2444c247a 100644
--- a/frontend/server.js
+++ b/frontend/server.js
@@ -10,6 +10,7 @@ import path from "node:path";
 import {fileURLToPath} from "node:url";
 import * as nodePath from "node:path";
 import * as nodeUrl from "node:url";
+import rateLimit from "express-rate-limit";
 
 installGlobals();
 
@@ -30,6 +31,16 @@ const ssrManifest = isProduction
     : undefined;
 
 const app = express();
+
+// set up rate limiter: maximum of 100 requests per 15 minutes
+const limiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100, // max 100 requests per windowMs
+});
+
+// apply rate limiter to all requests
+app.use(limiter);
+
 app.use(cookieParser());
 
 app.use('/.well-known', express.static(path.join(__dirname, 'public/.well-known')));