Always return RateLimit-* headers (RackAttack)

Andreas Brandlrequested to merge
ab/rack-attack-headers into master

What does this MR do and why?

Always return RateLimit-* headers

We use RackAttack for rate limiting purposes. It returns RateLimit-* headers for throttled requests, but not for unthrottled ones.

This adds a Rack middleware to always return RateLimit-* headers, which allows a client to anticipate when it'll run into a rate limiting situation and act accordingly before this happens.

Example for the additional response headers:

$ curl -I http://127.0.0.1:3000/api/v4/projects 
HTTP/1.1 200 OK
...
RateLimit-Limit: 1
RateLimit-Name: throttle_unauthenticated_api
RateLimit-Observed: 3
RateLimit-Remaining: 2
RateLimit-Reset: 1761084000

References

Related to gitlab-com/gl-infra/production-engineering#25770 (closed)

Screenshots or screen recordings

Screencast_from_2025-10-23_12-20-43

How to set up and validate locally

We can test this out by making unauthenticated calls to the API. Without below steps, you should see something like this:

$ curl -I http://127.0.0.1:3000/api/v4/projects 
HTTP/1.1 200 OK
...
more headers, but no `RateLimit-*` headers present
...
  1. In rails console enable the feature flag 
    Feature.enable(:rate_limiting_headers_for_unthrottled_requests)
  2. Also on a rails console, let's tweak the rate limit setting for unauthenticated API calls: 
    s = Gitlab::CurrentSettings.current_application_settings
s.throttle_unauthenticated_api_enabled = true
s.throttle_unauthenticated_requests_per_period = 5
s.save!
  3. Restart rails-web: gdk restart rails-web or similar
  4. Make up to 5 requests like this and you will see a status 200 response with RateLimit-* headers (see expected result below)
  5. Once past 5 requests, the response will be HTTP/429 with RateLimit-* headers and additionally a Retry-After header

Expected result:

$ curl -I http://127.0.0.1:3000/api/v4/projects 
HTTP/1.1 200 OK
...
RateLimit-Limit: 1
RateLimit-Name: throttle_unauthenticated_api
RateLimit-Observed: 3
RateLimit-Remaining: 2
RateLimit-Reset: 1761084000

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andreas Brandl

Merge request reports