Global abuse protection of all public endpoints

Created by: tsenart

As we develop sourcegraph.com further according to RFC151, the need for protecting that deployment from Denial of Service attacks and other forms of abuse will increase.

Currently, we don't have any form of API rate limiting in place (i.e. GraphQL). We should follow prior art on other GraphQL APIs and use cost based estimation on each query.

Additionally, any other public endpoint that isn't the GraphQL API, also needs some form of rate limiting in place. We may be able to leverage Cloudflare for this, as well as DDoS protection.

Requested by:

• https://app.hubspot.com/contacts/2762526/company/464956351
• https://app.hubspot.com/contacts/2762526/company/557692805

From the latter:

given that i can envision (over the long-term) teams wanting to build automation using the API, something we've noticed with GHE is that teams will create tooling without regard to load impact ... so having rate limiting will minimize our need to play "whack-a-mole" usage cops ... with GHE, we frequently see teams that put things in place that run on schedules ... often times they get unintentionally mis-configured and we end up having to chase down the bad actors in a reactive manner

Related:

• https://github.com/sourcegraph/sourcegraph/issues/5705
• https://github.com/sourcegraph/sourcegraph/issues/5706