Security Rate Limiter: Custom OpenMage Module
Challenge
A live log review uncovered repeated automated SQL injection attempts against the shop's API endpoints, multiple requests per minute from the same source IPs. The existing JSON validator was blocking the injections, but every request still reached the application server and consumed PHP-FPM workers, degrading response times for real users during attack windows.
What Was Built
A configurable rate limiter integrated into the existing custom security module: IP-based request rate tracking using Redis (already in use for sessions), configurable thresholds (max requests per time window, window duration, and action on breach: block with 429, log-only, or both), Magento system config UI for all parameters, and application to configurable URL patterns - not shop-wide - to avoid false positives on legitimate high-frequency AJAX flows (cart updates, autocomplete, etc.).
Outcome
Automated attack traffic is throttled at the rate limiter before reaching PHP-FPM. Worker saturation during attack periods eliminated. All configuration is in the hands of the shop admin via the standard Magento backend.
Have a similar challenge?
Get in touch - no sales pitch, just a straightforward conversation.