核心价值从 `X-Forwarded-For` 安全提取客户端 IP 并进行入口级速率限制,降低滥用与攻击风险。使用标准响应头表达限流窗口与重试时间,提高客户端协作性。实现import { NextResponse, NextRequest } from 'next/server'
const buckets = new Map<string, { count: number; reset: number }>()
const WINDOW = 10_000
const LIMIT = 30
function getIP(req: NextRequest) {
const xff = req.headers.get('x-forwarded-for') || ''
const ip = xff.split(',')[0].trim()
return ip || req.ip || 'unknown'
}
export function middleware(req: NextRequest) {
const ip = getIP(req)
const now = Date.now()
const b = buckets.get(ip) || { count: 0, reset: now + WINDOW }
if (now > b.reset) { b.count = 0; b.reset = now + WINDOW }
b.count += 1
buckets.set(ip, b)
if (b.count > LIMIT) {
const retry = Math.ceil((b.reset - now) / 1000)
return new NextResponse('Too Many Requests', {
status: 429,
headers: { 'Retry-After': String(retry) },
})
}
return NextResponse.next()
}
export const config = { matcher: ['/((?!_next|api/public).*)'] }
治理建议生产环境建议使用持久化存储或网关级限流;示例为轻量入口治理,适合低流量保护。对静态资源与公开 API 排除限流(如通过 `matcher` 白名单),避免影响正常访问。结论入口限流是前端安全的基础防线之一。结合 IP 提取与标准限流响应头,可提升可预期性并降低滥用风险。
发表评论 取消回复