Most of this should be handled at the WAF level. We should add a single rate limiter for an upper bound on requests per-ip, e.g. RACK_ATTACK_MAX_RPM and RACK_ATTACK_MAX_RPS.
Other than that, we should remove the burst rate limiters, as well as account level rate limiters and shedders. This will reduce needless strain on Redis per-request.
Security-related rate limiters e.g. on password reset and MFA, should stay.
Most of this should be handled at the WAF level. We should add a single rate limiter for an upper bound on requests per-ip, e.g.
RACK_ATTACK_MAX_RPM
andRACK_ATTACK_MAX_RPS
.Other than that, we should remove the burst rate limiters, as well as account level rate limiters and shedders. This will reduce needless strain on Redis per-request.
Security-related rate limiters e.g. on password reset and MFA, should stay.
While we're here, we should also tackle #724.