Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey there, do Ory ratelimits actually work? We've just gotten through yet another DDOS attack, which was 1 person refreshing the /login page...

The only time I've seen the ratelimit work is when I'm executing an HTTP request outside the browser. It seems like whatever ratelimit rules you have going just let bad actors do whatever aslong as it's coming from a browser...

And we can't enable cloudflare on Ory endpoints, per your recommendation and because it also breaks API access. When are we gonna have special ratelimit rules/whitelisted user-agents?

Hey,
Could you please provide more details, such as the project name and the timestamp when you experienced the issue?