No rate limiting on /api/recommend endpoint enables abuse

[Siddh2024]

Type: Security Bug
File: routes/main_routes.py, line 47

The recommendation endpoint runs without rate limiting. Attackers can send high-volume requests to exhaust server resources.

[varshneytarang]

Hi maintainers,

I would like to work on this issue under GSSoC'26.

After reviewing the project structure, I noticed that the recommendation endpoint (POST /api/recommend) is a publicly accessible API and currently lacks rate limiting protection. Since this endpoint performs recommendation processing on every request, it could be abused through automated high-frequency requests, potentially leading to resource exhaustion, degraded performance, or denial-of-service scenarios.

Proposed Solution
Analyze the current implementation in routes/main_routes.py.
Implement rate limiting on the recommendation endpoint using a well-established Flask-compatible solution (e.g., Flask-Limiter).
Configure sensible limits such as:
Requests per minute per IP
Burst protection for rapid consecutive requests
Return proper HTTP 429 Too Many Requests responses when limits are exceeded.
Ensure the implementation remains configurable for future scaling needs.
Add/update tests to verify rate-limiting behavior and prevent regressions.
Document the configuration for contributors and maintainers.
Relevant Experience

My background is primarily in backend development and API engineering, including:

Node.js and Express API development
Authentication and authorization mechanisms
Database-backed applications
Security-focused backend design
Building and securing web applications for production use
Experience identifying and mitigating API abuse vectors

Could you please assign this issue to me under GSSoC'26?

Thank you!

[boss477]

Hi @komalharshita - I would like to work on this issue under GSSoC 2026. Please assign this to me!