IP rate-limiting via custom header
Live
July 25, 2024, 10:51 a.m.
Summary
IP-based rate-limiting is configured for various API endpoints. To prevent valid server-side requests, which originate from a single/pool of IPs, from being adversely impacted, this behaviour can now be controlled by a custom header.
Two headers are required to trigger this flow:
- X-Client-IP: the IP of the user/client from which the request originated.
- X-Client-IP-Authorization: a base64-encoded string, that is a secret known to the client and Kraken.
Additional information
- These headers should be included in server-side requests to Kraken, but we recommend omitting them from client-side requests (i.e. those from a user's device/browser).
- The value of X-Client-IP-Authorization should be treated as a credential and stored securely.
- The client making requests to Kraken is responsible for obtaining and setting a correct value in X-Client-IP.
- X-Client-IP supports the same format as X-Forwarded-For.
- The header names above are defaults, and can be configured.
Examples
Client-side: valid ✅
- Request:
x-client-ip
andx-client-ip-authorization
not included. - Response: Rate-limiting applied on source IP.
- Request:
Server-side: valid ✅
- Request:
{"x-client-ip": "12.3.5.7", "x-client-ip-authorization": "correct-value"}
. - Response: Rate-limiting applied on
12.3.5.7
.
- Request:
Server-side: invalid ❌
- Request:
- Incorrect credentials:
{"x-client-ip": "12.3.5.7", "x-client-ip-authorization": "incorrect-value"}
.
- Missing headers:
{"x-client-ip": "12.3.5.7"}
{"x-client-ip-authorization": "correct-value"}
- Incorrect credentials:
- Response: Rate-limiting applied on source IP.
- Request: