F8: signup-txt has no rate limiting #2

New issue

Open

opened 2026-05-06 10:56:40 +01:00 by s8n · 0 comments

s8n commented

2026-05-06 10:56:40 +01:00

Owner

Severity: High — Risk Score open
Status: Open — pattern exists for Misskey signup-strict, mirror needed.

The /signup endpoint on signup.txt.s8n.ru has no Traefik rate-limit middleware nor nginx limit_req zone. Bot/spammer flood would create thousands of Matrix accounts in seconds.

Fix: Add Traefik rate-limit-signup-txt@file middleware (1 req / 30s, burst 3 — match signup-strict for Misskey) AND nginx-level limit_req in signup-txt config block.

Verification: k6 / siege test — 5 req in 1s should see 4 dropped 429.

Source: security/nullstone-server/2026-05-02.md §F8.

**Severity:** High — Risk Score open **Status:** Open — pattern exists for Misskey signup-strict, mirror needed. The `/signup` endpoint on `signup.txt.s8n.ru` has no Traefik rate-limit middleware nor nginx `limit_req` zone. Bot/spammer flood would create thousands of Matrix accounts in seconds. **Fix:** Add Traefik `rate-limit-signup-txt@file` middleware (1 req / 30s, burst 3 — match `signup-strict` for Misskey) AND nginx-level `limit_req` in signup-txt config block. **Verification:** k6 / siege test — 5 req in 1s should see 4 dropped 429. Source: `security/nullstone-server/2026-05-02.md` §F8.