Update the API rate limiting article

[erikjanwestendorp]

What type of issue is it? (Choose one - delete the others)

Discussion

What article/section is this about?

API rate limiting

Describe the issue

When implementing API rate limiting as described here, the default setup relies on IP-based limiting via IpRateLimiting. However, in many production environments, Umbraco is hosted behind a Web Application Firewall (WAF) or reverse proxy (such as Cloudflare, Azure Front Door, NGINX, etc.). In these cases, the client IP address is typically replaced by the proxy’s IP, causing the rate limiting to apply to the WAF instead of the actual user.

Suggestion:

It would be helpful if the documentation included a clear note that:

When running Umbraco behind a WAF or reverse proxy, it's necessary to configure the RealIpHeader setting in appsettings.json to correctly extract the original client IP.

Somthing like:

"IpRateLimiting": {
  "RealIpHeader": "X-Forwarded-For",
  "HttpStatusCode": 429,
  ...
}

[eshanrnh]

Thank you for raising this @erikjanwestendorp, and for the clear explanation.

We’ll run this by the team and get back to you once we’ve discussed how best to reflect this in the documentation.

Thanks again for your valuable input 🙌

[erikjanwestendorp]

@eshanrnh Thanks for your reply! If there is anything I can do, please let me know 😄

[eshanrnh]

Sure, will let you know 💪

[eshanrnh]

Hey @erikjanwestendorp 👋

Could you please go ahead and create a PR based on your proposed update? We’ll then pass it on to the appropriate team for their input.

Really appreciate your help in keeping the docs accurate and up to date! 🙌