How to fix Lack of Resources & Rate Limiting
in Poem
Executive Summary
Poem's performance is top-tier, but raw speed is a liability without circuit breakers. Failing to implement rate limiting and resource constraints allows attackers to execute Denial of Service (DoS) attacks via thread starvation or memory exhaustion. If your endpoint is 'naked,' a simple loop can cripple your service. We need to implement Poem's middleware to enforce strict request quotas and payload boundaries.
The Vulnerable Pattern
use poem::{get, handler, route, Server, listener::TcpListener};#[handler] async fn index() -> &‘static str { “No protection here. Spam me.” }
#[tokio::main] async fn main() -> Result<(), std::io::Error> { // VULNERABLE: No RateLimit middleware and no PayloadLimit. // An attacker can flood this endpoint or send massive payloads to exhaust RAM. let app = route().at(”/”, get(index)); Server::new(TcpListener::bind(“127.0.0.1:3000”)) .run(app) .await }
The Secure Implementation
The hardened implementation uses Poem's middleware stack to enforce boundaries. The `RateLimit` middleware tracks request frequency and returns a 429 Too Many Requests status if the threshold (10 requests/5 seconds) is exceeded, preventing CPU/Thread starvation. The `PayloadLimit` middleware is equally critical; it terminates connections that attempt to send bodies larger than the defined limit (1KB), mitigating memory-based DoS attacks. In a production environment, you should also consider using a custom middleware that identifies users by IP or API Key to prevent a single malicious actor from triggering a global lockout.
use poem::{get, handler, route, Server, listener::TcpListener, EndpointExt, middleware::RateLimit, web::PayloadLimit}; use std::time::Duration;#[handler] async fn index() -> &‘static str { “Rate limited and payload constrained.” }
#[tokio::main] async fn main() -> Result<(), std::io::Error> { let app = route() .at(”/”, get(index)) // SECURE: Limit to 10 requests per 5 seconds per worker .with(RateLimit::new(10, Duration::from_secs(5))) // SECURE: Limit request body size to 1KB to prevent OOM .with(PayloadLimit::new(1024));
Server::new(TcpListener::bind("127.0.0.1:3000")) .run(app) .await
}
Your Poem API
might be exposed to Lack of Resources & Rate Limiting
74% of Poem apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.