Changes

docker-compose/.env.template

@@ -101,3 +101,15 @@ Serilog__WriteTo__2__Args__enableSsl=true
 # CvMatcher API internal
 CvMatcherApi__BaseUrl=http://cv-matcher-api:8081
 CvMatcherApi__InternalApiKey=
+
+# Rate Limiting (api - public rate limits)
+# Window uses TimeSpan strings: "hh:mm:ss" (e.g. "00:01:00" = 1 minute, "00:10:00" = 10 minutes).
+RateLimiting__Global__PermitLimit=120
+RateLimiting__Global__Window=00:01:00
+RateLimiting__Global__QueueLimit=0
+RateLimiting__Policies__contact__PermitLimit=5
+RateLimiting__Policies__contact__Window=00:01:00
+RateLimiting__Policies__contact__QueueLimit=0
+RateLimiting__Policies__CvMatcher__PermitLimit=10
+RateLimiting__Policies__CvMatcher__Window=00:10:00
+RateLimiting__Policies__CvMatcher__QueueLimit=0

docker-compose/docker-compose.production.yml

@@ -170,6 +170,17 @@ services:
       - CvMatcherApi__BaseUrl=${CvMatcherApi__BaseUrl:-http://cv-matcher-api:8080}
       - CvMatcherApi__InternalApiKey=${CvMatcherApi__InternalApiKey:-change-this-internal-key}
 
+      # Rate Limiting: matches api appsettings RateLimiting section
+      - RateLimiting__Global__PermitLimit=${RateLimiting__Global__PermitLimit:-120}
+      - RateLimiting__Global__Window=${RateLimiting__Global__Window:-00:01:00}
+      - RateLimiting__Global__QueueLimit=${RateLimiting__Global__QueueLimit:-0}
+      - RateLimiting__Policies__contact__PermitLimit=${RateLimiting__Policies__contact__PermitLimit:-5}
+      - RateLimiting__Policies__contact__Window=${RateLimiting__Policies__contact__Window:-00:01:00}
+      - RateLimiting__Policies__contact__QueueLimit=${RateLimiting__Policies__contact__QueueLimit:-0}
+      - RateLimiting__Policies__CvMatcher__PermitLimit=${RateLimiting__Policies__CvMatcher__PermitLimit:-10}
+      - RateLimiting__Policies__CvMatcher__Window=${RateLimiting__Policies__CvMatcher__Window:-00:10:00}
+      - RateLimiting__Policies__CvMatcher__QueueLimit=${RateLimiting__Policies__CvMatcher__QueueLimit:-0}
+
       # CORS: not in the uploaded api appsettings, but used by your API startup config.
       - Cors__AllowedOrigins__0=${Cors__AllowedOrigins__0:-http://localhost:5000}
       - Cors__AllowedOrigins__1=${Cors__AllowedOrigins__1:-http://web:8080}

docker-compose/docker-compose.staging.yml

@@ -170,6 +170,17 @@ services:
       - CvMatcherApi__BaseUrl=${CvMatcherApi__BaseUrl:-http://cv-matcher-api:8080}
       - CvMatcherApi__InternalApiKey=${CvMatcherApi__InternalApiKey:-change-this-internal-key}
 
+      # Rate Limiting: matches api appsettings RateLimiting section
+      - RateLimiting__Global__PermitLimit=${RateLimiting__Global__PermitLimit:-120}
+      - RateLimiting__Global__Window=${RateLimiting__Global__Window:-00:01:00}
+      - RateLimiting__Global__QueueLimit=${RateLimiting__Global__QueueLimit:-0}
+      - RateLimiting__Policies__contact__PermitLimit=${RateLimiting__Policies__contact__PermitLimit:-5}
+      - RateLimiting__Policies__contact__Window=${RateLimiting__Policies__contact__Window:-00:01:00}
+      - RateLimiting__Policies__contact__QueueLimit=${RateLimiting__Policies__contact__QueueLimit:-0}
+      - RateLimiting__Policies__CvMatcher__PermitLimit=${RateLimiting__Policies__CvMatcher__PermitLimit:-10}
+      - RateLimiting__Policies__CvMatcher__Window=${RateLimiting__Policies__CvMatcher__Window:-00:10:00}
+      - RateLimiting__Policies__CvMatcher__QueueLimit=${RateLimiting__Policies__CvMatcher__QueueLimit:-0}
+
       # CORS: not in the uploaded api appsettings, but used by your API startup config.
       - Cors__AllowedOrigins__0=${Cors__AllowedOrigins__0:-http://localhost:5000}
       - Cors__AllowedOrigins__1=${Cors__AllowedOrigins__1:-http://web:8080}

docker-compose/docker-compose.yml

@@ -190,6 +190,17 @@ services:
       - CvMatcherApi__BaseUrl=${CvMatcherApi__BaseUrl:-http://cv-matcher-api:8080}
       - CvMatcherApi__InternalApiKey=${CvMatcherApi__InternalApiKey:-change-this-internal-key}
 
+      # Rate Limiting: matches api appsettings RateLimiting section
+      - RateLimiting__Global__PermitLimit=${RateLimiting__Global__PermitLimit:-120}
+      - RateLimiting__Global__Window=${RateLimiting__Global__Window:-00:01:00}
+      - RateLimiting__Global__QueueLimit=${RateLimiting__Global__QueueLimit:-0}
+      - RateLimiting__Policies__contact__PermitLimit=${RateLimiting__Policies__contact__PermitLimit:-5}
+      - RateLimiting__Policies__contact__Window=${RateLimiting__Policies__contact__Window:-00:01:00}
+      - RateLimiting__Policies__contact__QueueLimit=${RateLimiting__Policies__contact__QueueLimit:-0}
+      - RateLimiting__Policies__CvMatcher__PermitLimit=${RateLimiting__Policies__CvMatcher__PermitLimit:-10}
+      - RateLimiting__Policies__CvMatcher__Window=${RateLimiting__Policies__CvMatcher__Window:-00:10:00}
+      - RateLimiting__Policies__CvMatcher__QueueLimit=${RateLimiting__Policies__CvMatcher__QueueLimit:-0}
+
       # CORS: not in the uploaded api appsettings, but used by your API startup config.
       - Cors__AllowedOrigins__0=${Cors__AllowedOrigins__0:-http://localhost:5000}
       - Cors__AllowedOrigins__1=${Cors__AllowedOrigins__1:-http://web:8080}