Posted: Sun Jun 26, 2022 4:24 pm
Racoda wrote:To be honest, I have no experience with CORS -- hence the suggestion to authenticate differently than in headers. I've had a discussion with Sherp after posting and I agree that exempting OPTIONS from the rate-limit (and preventing it from sending an API response) is the best solution, especially since a CORS request will be needed anyway to authorize sending a custom user-agent header.
The API hasn't sent a full response (i.e. with data) to OPTIONS requests since 2015 as far as I can tell, but anyway, I tweaked the config to avoid hitting the API altogether, which should mean the rate limit isn't triggered. How does it look now?