add rate limits to all public endpoints

2 files changed, 13 insertions, 0 deletions

diff --git a/packages/backend/src/server/api/endpoints/mute/delete.ts b/packages/backend/src/server/api/endpoints/mute/delete.ts
index d11832858e..1e14bafc87 100644
--- a/packages/backend/src/server/api/endpoints/mute/delete.ts
+++ b/packages/backend/src/server/api/endpoints/mute/delete.ts
@@ -10,6 +10,7 @@ import { DI } from '@/di-symbols.js';
 import { GetterService } from '@/server/api/GetterService.js';
 import { UserMutingService } from '@/core/UserMutingService.js';
 import { ApiError } from '../../error.js';
+import ms from 'ms';
 
 export const meta = {
 	tags: ['account'],
@@ -37,6 +38,12 @@ export const meta = {
 			id: '5467d020-daa9-4553-81e1-135c0c35a96d',
 		},
 	},
+
+	// 20 calls per hour (match create)
+	limit: {
+		duration: ms('1hour'),
+		max: 20,
+	},
 } as const;
 
 export const paramDef = {
diff --git a/packages/backend/src/server/api/endpoints/mute/list.ts b/packages/backend/src/server/api/endpoints/mute/list.ts
index 23204f2829..3efbe349e0 100644
--- a/packages/backend/src/server/api/endpoints/mute/list.ts
+++ b/packages/backend/src/server/api/endpoints/mute/list.ts
@@ -26,6 +26,12 @@ export const meta = {
 			ref: 'Muting',
 		},
 	},
+
+	// 5 calls per second
+	limit: {
+		duration: 1000,
+		max: 5,
+	},
 } as const;
 
 export const paramDef = {