isapir commented on code in PR #767: URL: https://github.com/apache/tomcat/pull/767#discussion_r1828122723
########## java/org/apache/catalina/filters/RateLimitFilter.java: ########## @@ -63,6 +67,10 @@ * information that it has, e.g. allow more requests to certain users based on roles, etc. * </p> * <p> + * The <code>exposeHeaders</code> allows output runtime information of rate limiter via response header, is disabled by + * default, only for http-api or debugging purpose. Those runtime information should not be accessible to the attackers. + * </p> + * <p> Review Comment: I agree with @markt-asf. It is much easier to review smaller PRs so breaking a large PR to smaller PRs, and even avoiding making unnecessary changes, make it much easier to review and accept. For example, if this PR is for the ExactRateLimiter which does not use `java/org/apache/catalina/util/TimeBucketCounter.java` then changes to that class can be removed from here. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
