Dev Tools · 3h ago
Rate Limit Headers Promised Enforcement That Didn't Exist
A developer discovered that a site's Worker attached RateLimit headers to every response but had no code to enforce them. The headers advertised a limit of 100 requests per 60 seconds, but no logic returned a 429. The fix uses Cloudflare's rate limiting binding, though it fails open if the binding is missing.
Meridian48 take
This is a cautionary tale about the gap between declared policy and actual enforcement, especially relevant as agent-readiness audits become standard.
rate-limitingcloudflare-workers