Skip to content

[Bug]: Requests being rate limited by default #41313

New issue
New issue
Open
#41365
Open
[Bug]: Requests being rate limited by default#41313
#41365
Assignees
wyattwalter
Labels
BugSomething isn't workingMediumIssues that frustrate users due to poor UXProduction
@wyattwalter

Description

@wyattwalter
wyattwalter
opened on Oct 22, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Description

There's an issue with Caddy in the latest version that's causing some issues with static files — any pre-compressed static files being served are using a 206 http status. It looks like this is a bug in Caddy 2.10.2 which was included in v1.88+. It has been patched in Caddy's default branch, but they haven't released a new version yet and don't seem to be in a hurry to do so: caddyserver/caddy#7250

The reason that this is significant is that static assets with a 206 status aren't cached in the browser for service workers to use. During the loading of the homepage on a basic install via Docker Compose from latest on release, I'm seeing ~90 requests. A handful are to Paragon, Google Fonts, etc. But the vast majority are to Appsmith.

On login, the number climbs — around 125 or so. The number is fluid, however, because on localhost it busts through the default rate limit set by Caddy at 100 req/s since there's little latency between the client and server. So we see this wave of requests where the service workers retry the requests that get a 429 response. Some get through, then it has to try again, etc resulting in a huge number of requests and delayed page loading.

This isn't observed on the cloud version because that traffic is served through CloudFront which seems to be caching those responses anyway and returning a 200 instead. Also, when deploying to a cloud environment, you may or may not see it because the latency is simply high enough that the client doesn't have enough time to send 100 requests within a second. But sometimes it does, and the behavior can be weird.

It can also conflict with rate limits that users might have upstream of Appsmith to protect against DoS attacks. ingress-nginx's default, however, is to return a 503 rather than a 429 when a rate limit + queue is exhausted, which breaks the user's application.

Steps To Reproduce

Deploy Appsmith 1.88+

Observe the network tab in your browser dev console to see requests for static files are getting 206 or 429 status.

Public Sample App

No response

Environment

Production

Severity

Medium (Frustrating UX)

Issue video log

No response

Version

1.88

Metadata

Metadata

Assignees

Labels

BugSomething isn't workingMediumIssues that frustrate users due to poor UXProduction

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions