Rate Limiting
The rate limiting works by monitoring user activity in 5-minute intervals, blocking further submissions when the maximum number of attempts is exceeded. The block duration increases progressively with repeated violations, from 30 minutes to up to 1 week for persistent offenders.
Due to GDPR it's not activated by default.
If IP tracking is enabled, you must inform users in your privacy policy.
How it works
The feature tracks submissions over 5-minute intervals. Once the maximum number of attempts is exceeded, the user is blocked for a period of time.The block duration escalates with repeated violations within 24 hours, starting at 30 minutes, then 1 hour, 2 hours, and 4 hours. After 5 blocks, a 1-week block is applied. After 24 hours (or 1 week if permanently blocked), the block counter resets and the cycle starts over.
Custom Salt
For maximum security, you can configure a custom salt in your site/config/config.php:
return [
'philippoehrlein/kirby-email-manager.ip.salt' => 'your-secret-random-string',
// ... other config
];Why global salt? The salt is intentionally global (not per-form) to ensure that a blocked IP cannot bypass the rate limit by switching to a different form on your site.
Configuration
Rate limiting is configured directly within the form blueprint.
ratelimit:
trackip: true
maxattempts: 5Properties
| Name | Type | Default | Description |
|---|---|---|---|
| maxattempts |
int
|
5
|
The maximum number of allowed submissions within the time window. |
| trackip |
bool
|
false
|
Activates IP tracking and the rate limit. |
This setup configures rate limiting within the form blueprint, applying the limits and block durations based on the parameters set.