Summary

IP-based rate-limiting is configured for various API endpoints. To prevent valid server-side requests, which originate from a single/pool of IPs, from being adversely impacted, this behaviour can now be controlled by a custom header.

Two headers are required to trigger this flow:

• X-Client-IP: the IP of the user/client from which the request originated.
• X-Client-IP-Authorization: a base64-encoded string, that is a secret known to the client and Kraken.

Additional information

• These headers should be included in server-side requests to Kraken, but we recommend omitting them from client-side requests (i.e. those from a user's device/browser).
• The value of X-Client-IP-Authorization should be treated as a credential and stored securely.
• The client making requests to Kraken is responsible for obtaining and setting a correct value in X-Client-IP.
• X-Client-IP supports the same format as X-Forwarded-For.
• The header names above are defaults, and can be configured.

Examples

1. Client-side: valid ✅

   • Request: x-client-ip and x-client-ip-authorization not included.
   • Response: Rate-limiting applied on source IP.

2. Server-side: valid ✅

   • Request: {"x-client-ip": "12.3.5.7", "x-client-ip-authorization": "correct-value"}.
   • Response: Rate-limiting applied on 12.3.5.7.

3. Server-side: invalid ❌

   • Request:
     • Incorrect credentials:
       • {"x-client-ip": "12.3.5.7", "x-client-ip-authorization": "incorrect-value"} .
     • Missing headers:
       • {"x-client-ip": "12.3.5.7"}
       • {"x-client-ip-authorization": "correct-value"}
   • Response: Rate-limiting applied on source IP.