Fix Lack of Resources & Rate Limiting in Fresh
Fresh applications built on Deno are susceptible to Resource Exhaustion and DoS if handlers are left unprotected. Without global or route-specific rate limiting, attackers can script high-concurrency bursts to overwhelm the Deno runtime or backend databases. We mitigate this by implementing a custom middleware leveraging Deno KV as a distributed state store to enforce request quotas.
The Vulnerable Pattern
// routes/api/submit.ts import { Handlers } from "$fresh/server.ts";
export const handler: Handlers = { async POST(req) { // VULNERABILITY: No rate limiting or payload size validation. // An attacker can flood this endpoint to exhaust memory or CPU. const data = await req.json(); const result = await doExpensiveWork(data); return new Response(JSON.stringify(result)); }, };
The Secure Implementation
The secure implementation introduces a middleware layer using Deno KV to track request frequency per IP address. It uses an atomic-like check to retrieve the current hit count and expiration timestamp. If the count exceeds the threshold (20 requests/min), it returns a HTTP 429 status code, halting execution before expensive logic is triggered. This prevents CPU pinning and memory exhaustion from automated tooling or botnets.
// routes/_middleware.ts import { MiddlewareHandlerContext } from "$fresh/server.ts";const kv = await Deno.openKv(); const RATE_LIMIT = 20; // Max requests const WINDOW_MS = 60 * 1000; // 1 minute window
export async function handler(req: Request, ctx: MiddlewareHandlerContext) { if (req.method !== “POST”) return await ctx.next();
const ip = ctx.remoteAddr.hostname; const key = [“rate_limit”, ip]; const entry = await kv.get<{ count: number; expires: number }>(key); const now = Date.now();
if (entry.value && now < entry.value.expires) { if (entry.value.count >= RATE_LIMIT) { return new Response(“Rate limit exceeded. Try again later.”, { status: 429, headers: { “Retry-After”: “60” } }); } await kv.set(key, { count: entry.value.count + 1, expires: entry.value.expires }, { expireIn: WINDOW_MS }); } else { await kv.set(key, { count: 1, expires: now + WINDOW_MS }, { expireIn: WINDOW_MS }); }
return await ctx.next(); }
Your Fresh API
might be exposed to Lack of Resources & Rate Limiting
74% of Fresh apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.