Skip to main content

Anti-abuse

The Anti-abuse tab of the System screen. Protective limits on the public-facing endpoints and the login and extension paths. Every limit accepts 0, which disables that particular limiter.

The settings are grouped into three blocks.

Public endpoint protection

Public endpoint protection — postback conversion idempotency and a per-IP request ceiling on the public write endpoints (the postback and /pwa-api/*). A repeat of an identical postback within the idempotency window writes one deposit, not many — killing replays and double-counted tracker retries, while a legitimate redeposit (a different amount, or outside the window) still passes. Applied at runtime, no restart.

Keep the rate limits generous

The per-IP request ceiling is a denial-of-service guard, not a fine-grained quota — partner IP pools and carrier-grade NAT can place many legitimate users behind a single address. Keep it high enough that real traffic never reaches it.

Login & extension brute-force

Login & extension brute-force protection — brute-force thresholds for the login and the extension credentials endpoint:

  • login attempts per IP per minute;
  • failed logins per account per 15 minutes;
  • extension profile probes per IP per minute;
  • a throttle on the extension's "alive" marks.

Applied at runtime, no restart.

Server timeouts

Server timeouts — connection timeouts for both HTTP servers (the admin panel and the public PWA): the request-header read timeout (which mitigates the slow-loris hold-open attack) and the idle keep-alive timeout. These are read at startup, so a change applies after a restart.

Each field carries a hint with the recommended value. After editing, click Save.

The Anti-abuse tab with the three protection blocks

What's next