Anti-abuse
The Anti-abuse tab of the System screen. Protective limits on the public-facing endpoints and the login and extension paths. Every limit accepts 0, which disables that particular limiter.
The settings are grouped into three blocks.
Public endpoint protection
Public endpoint protection — postback conversion idempotency and a per-IP request ceiling on the public write endpoints (the postback and /pwa-api/*). A repeat of an identical postback within the idempotency window writes one deposit, not many — killing replays and double-counted tracker retries, while a legitimate redeposit (a different amount, or outside the window) still passes. Applied at runtime, no restart.
The per-IP request ceiling is a denial-of-service guard, not a fine-grained quota — partner IP pools and carrier-grade NAT can place many legitimate users behind a single address. Keep it high enough that real traffic never reaches it.
Login & extension brute-force
Login & extension brute-force protection — brute-force thresholds for the login and the extension credentials endpoint:
- login attempts per IP per minute;
- failed logins per account per 15 minutes;
- extension profile probes per IP per minute;
- a throttle on the extension's "alive" marks.
Applied at runtime, no restart.
Server timeouts
Server timeouts — connection timeouts for both HTTP servers (the admin panel and the public PWA): the request-header read timeout (which mitigates the slow-loris hold-open attack) and the idle keep-alive timeout. These are read at startup, so a change applies after a restart.
Each field carries a hint with the recommended value. After editing, click Save.
