From e0d72f805765405f4d90725b73967e957b73a73a Mon Sep 17 00:00:00 2001 From: Steve Dogiakos Date: Mon, 9 Mar 2026 20:29:17 -0600 Subject: [PATCH] feat: add rate limiting to form submission Add Flask-Limiter and cap POST submissions to 5 per minute per IP. GET requests are not limited. Uses in-memory storage (appropriate for single-instance kiosk deployment). --- app.py | 5 ++++- requirements.txt | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app.py b/app.py index f2fce0f..d4f61cc 100644 --- a/app.py +++ b/app.py @@ -1,4 +1,6 @@ from flask import Flask, render_template, request, redirect, url_for, jsonify, abort +from flask_limiter import Limiter +from flask_limiter.util import get_remote_address import sqlite3 import re import logging @@ -10,6 +12,7 @@ logger = logging.getLogger(__name__) app = Flask(__name__) DATABASE = os.environ.get('DATABASE_PATH', 'guestbook.db') +limiter = Limiter(get_remote_address, app=app, default_limits=[]) def load_banned_words(): banned_words = set() @@ -72,7 +75,7 @@ with app.app_context(): init_db() @app.route('/', methods=['GET', 'POST']) -# TODO: No rate limiting — form can be spammed. Add Flask-Limiter (e.g. @limiter.limit("10/minute")). +@limiter.limit("5 per minute", methods=["POST"]) def index(): error = None if request.method == 'POST': diff --git a/requirements.txt b/requirements.txt index faa652e..e8afb9a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ Flask>=3.1.3 Werkzeug>=3.0.6 +Flask-Limiter>=3.0 gunicorn \ No newline at end of file