Allow configuration of express-rate-limit's ipv6Subnet

alanorth · alanorth · commit cd978ea18c39 · 2026-01-24T12:30:27.000+03:00
56 is a moderately aggressive default. It may be increased to if users are being incorrectly blocked (try 60 or 64), or decreased if you are seeing evidence of abuse. See: https://express-rate-limit.mintlify.app/reference/configuration#ipv6subnet
diff --git a/config/config.example.yml b/config/config.example.yml
@@ -14,6 +14,9 @@ ui:
   rateLimiter:
     windowMs: 60000 # 1 minute
     limit: 500 # limit each IP to 500 requests per windowMs
+    # IPv6 subnet mask applied to IPv6 addresses.
+    # See: https://express-rate-limit.mintlify.app/reference/configuration#ipv6subnet
+    ipv6Subnet: 56
   # Trust X-FORWARDED-* headers from proxies (default = true)
   useProxies: true
 
diff --git a/src/config/config.util.spec.ts b/src/config/config.util.spec.ts
@@ -45,6 +45,7 @@ describe('Config Util', () => {
       expect(appConfig.cache.msToLive.default).toEqual(15 * 60 * 1000); // 15 minute
       expect(appConfig.ui.rateLimiter.windowMs).toEqual(1 * 60 * 1000); // 1 minute
       expect(appConfig.ui.rateLimiter.limit).toEqual(500);
+      expect(appConfig.ui.rateLimiter.ipv6Subnet).toEqual(56);
       expect(appConfig.ui.useProxies).toEqual(true);
 
       expect(appConfig.submission.autosave.metadata).toEqual([]);
@@ -59,6 +60,7 @@ describe('Config Util', () => {
       const rateLimiter = {
         windowMs: 5 * 50 * 1000, // 5 minutes
         limit: 1000,
+        ipv6Subnet: 56,
       };
       appConfig.ui.rateLimiter = rateLimiter;
 
@@ -83,6 +85,7 @@ describe('Config Util', () => {
       expect(mockProductionEnvironment.cache.msToLive.default).toEqual(msToLive);
       expect(mockProductionEnvironment.ui.rateLimiter.windowMs).toEqual(rateLimiter.windowMs);
       expect(mockProductionEnvironment.ui.rateLimiter.limit).toEqual(rateLimiter.limit);
+      expect(mockProductionEnvironment.ui.rateLimiter.ipv6Subnet).toEqual(rateLimiter.ipv6Subnet);
       expect(mockProductionEnvironment.ui.useProxies).toEqual(false);
       expect(mockProductionEnvironment.submission.autosave.metadata[0]).toEqual(autoSaveMetadata[0]);
       expect(mockProductionEnvironment.submission.autosave.metadata[1]).toEqual(autoSaveMetadata[1]);
diff --git a/src/config/default-app-config.ts b/src/config/default-app-config.ts
@@ -53,6 +53,7 @@ export class DefaultAppConfig implements AppConfig {
     rateLimiter: {
       windowMs: 1 * 60 * 1000, // 1 minute
       limit: 500, // limit each IP to 500 requests per windowMs
+      ipv6Subnet: 56, // IPv6 subnet mask applied to IPv6 addresses
     },
 
     // Trust X-FORWARDED-* headers from proxies
diff --git a/src/config/ui-server-config.interface.ts b/src/config/ui-server-config.interface.ts
@@ -9,6 +9,7 @@ export class UIServerConfig extends ServerConfig {
   rateLimiter?: {
     windowMs: number;
     limit: number;
+    ipv6Subnet: number;
   };
 
   // Trust X-FORWARDED-* headers from proxies
diff --git a/src/environments/environment.test.ts b/src/environments/environment.test.ts
@@ -48,6 +48,7 @@ export const environment: BuildConfig = {
     rateLimiter: {
       windowMs: 1 * 60 * 1000, // 1 minute
       limit: 500, // limit each IP to 500 requests per windowMs
+      ipv6Subnet: 56,
     },
     useProxies: true,
   },
