From e6fb5029bbd064c9226ccaff168cdf864da86cd5 Mon Sep 17 00:00:00 2001 From: Edward Oliveira Date: Mon, 11 May 2026 19:24:51 -0300 Subject: [PATCH] =?UTF-8?q?Raise=20API=20quota=20to=201=20000/day=20=C2=B7?= =?UTF-8?q?=207=20000/week?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit At 35 req/min the old 500/day cap fired in ~14 min, making it redundant with the per-minute block. The new values target slow-drip scrapers (10–20 req/min sustained all day) while leaving legitimate integrations (< 500/day) well within budget. Co-Authored-By: Claude Sonnet 4.6 --- sapl/settings.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sapl/settings.py b/sapl/settings.py index 27f26474c..58e8bd208 100644 --- a/sapl/settings.py +++ b/sapl/settings.py @@ -439,8 +439,8 @@ RATE_LIMIT_BYPASS_PATHS = [ # API quota — daily and weekly call caps for all /api/ callers (anon and auth). # All callers are keyed by IP — auth status is not checked. # Weekly default is 7× the daily cap. -API_QUOTA_DAILY = config('API_QUOTA_DAILY', default=500, cast=int) -API_QUOTA_WEEKLY = config('API_QUOTA_WEEKLY', default=3500, cast=int) +API_QUOTA_DAILY = config('API_QUOTA_DAILY', default=1000, cast=int) +API_QUOTA_WEEKLY = config('API_QUOTA_WEEKLY', default=7000, cast=int) # API-specific per-minute rate limit for external (non-same-origin) anonymous calls. # Abuse writes rl:api:ip::blocked only — never rl:ip::blocked.