核心价值从 `X-Forwarded-For` 安全提取客户端 IP 并进行入口级速率限制,降低滥用与攻击风险。使用标准响应头表达限流窗口与重试时间,提高客户端协作性。实现import { NextResponse, NextRequest } from 'next/server' const buckets = new Map<string, { count: number; reset: number }>() const WINDOW = 10_000 const LIMIT = 30 function getIP(req: NextRequest) { const xff = req.headers.get('x-forwarded-for') || '' const ip = xff.split(',')[0].trim() return ip || req.ip || 'unknown' } export function middleware(req: NextRequest) { const ip = getIP(req) const now = Date.now() const b = buckets.get(ip) || { count: 0, reset: now + WINDOW } if (now > b.reset) { b.count = 0; b.reset = now + WINDOW } b.count += 1 buckets.set(ip, b) if (b.count > LIMIT) { const retry = Math.ceil((b.reset - now) / 1000) return new NextResponse('Too Many Requests', { status: 429, headers: { 'Retry-After': String(retry) }, }) } return NextResponse.next() } export const config = { matcher: ['/((?!_next|api/public).*)'] } 治理建议生产环境建议使用持久化存储或网关级限流;示例为轻量入口治理,适合低流量保护。对静态资源与公开 API 排除限流(如通过 `matcher` 白名单),避免影响正常访问。结论入口限流是前端安全的基础防线之一。结合 IP 提取与标准限流响应头,可提升可预期性并降低滥用风险。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复