Fix Lack of Resources & Rate Limiting in Quarkus

Resource exhaustion in Quarkus isn't just a performance bottleneck; it's a critical availability vulnerability. Without explicit bounds on request frequency and payload size, an attacker can trigger OOM (Out of Memory) errors or thread pool starvation via Layer 7 DoS. This guide demonstrates how to harden the Quarkus stack using Vert.x-level constraints and the Rate Limiter extension.

The Vulnerable Pattern

@Path("/api/compute")
public class InsecureResource {
    @POST
    @Consumes(MediaType.APPLICATION_JSON)
    public Response calculate(String heavyInput) {
        // VULNERABILITY: No limit on payload size
        // VULNERABILITY: No rate limiting on expensive CPU operations
        // VULNERABILITY: Unbounded request queue
        return Response.ok(service.process(heavyInput)).build();
    }
}

The Secure Implementation

The hardened implementation addresses resource exhaustion on two fronts. First, 'quarkus.http.limits' configures the underlying Vert.x engine to drop connections exceeding 1MB or surpassing 100 concurrent streams, preventing Heap exhaustion. Second, the '@RateLimit' annotation implements a token-bucket strategy at the resource level, ensuring that a single malicious actor cannot pin the CPU by spamming the intensive '/calculate' endpoint. This shifts the failure point from a system-wide crash to a controlled 429 Too Many Requests response.

// 1. Add dependency: io.quarkus:quarkus-ratelimiter
// 2. application.properties configuration:
// quarkus.http.limits.max-body-size=1024K
// quarkus.http.limits.max-connections=100
@Path(“/api/compute”)
public class SecureResource {
@POST
@RateLimit(requests = 10, period = 1, unit = ChronoUnit.MINUTES)
@Consumes(MediaType.APPLICATION_JSON)
public Response calculate(String heavyInput) {
return Response.ok(service.process(heavyInput)).build();
}
}