refactor: set rate limit enabled by default

Author: mert-ergun

.env.example

@@ -2,9 +2,12 @@
 # Copy this file to .env and adjust values as needed
 
 # Environment type: 'development' or 'production'
-# In development mode, CSRF protection and rate limiting are disabled
+# In development mode, CSRF protection is disabled
 CROSSBAR_ENV=development
 
+# Rate limiting: enabled by default. Set to 'false' or '0' to disable.
+# CROSSBAR_RATE_LIMIT=false
+
 # API keys for various LLM providers
 OPENAI_API_KEY="sk-************************************************"
 GEMINI_API_KEY="AI*****************-**-******-*********"

ENVIRONMENT.md

@@ -5,7 +5,7 @@ CROssBAR LLM backend can be configured to run in different environments with dis
 ## Environment Types
 
 The application supports two environment types:
-- **Development**: Optimized for local development with security features relaxed and no rate limiting
+- **Development**: Optimized for local development with CSRF disabled (rate limiting enabled unless CROSSBAR_RATE_LIMIT=false)
 - **Production**: Full security features enabled with CSRF protection and rate limiting
 
 ## Configuration
@@ -24,12 +24,20 @@ You can set this in your `.env` file or directly in your environment.
 | Feature | Development | Production |
 |---------|-------------|------------|
 | CSRF Protection | Disabled | Enabled |
-| Rate Limiting | Disabled | Enabled |
+| Rate Limiting | See CROSSBAR_RATE_LIMIT below | See CROSSBAR_RATE_LIMIT below |
 | Debug Logging | Verbose | Minimal |
 
-### Rate Limits (Production Only)
+### Rate Limiting (CROSSBAR_RATE_LIMIT)
 
-Rate limiting in production mode follows these defaults:
+Rate limiting is **enabled by default**. Set `CROSSBAR_RATE_LIMIT=false` or `0` to disable:
+
+```
+CROSSBAR_RATE_LIMIT=false   # Disable rate limiting
+```
+
+### Rate Limits (When Enabled)
+
+When rate limiting is enabled, these defaults apply:
 - 6 requests per minute
 - 20 requests per hour
 - 50 requests per day

README.md

@@ -173,7 +173,7 @@ When the backend is running, you can access:
 
 The application supports both development and production environments with different security settings:
 
-- **Development mode** (default): Disables CSRF protection and rate limiting for easier local development
+- **Development mode** (default): Disables CSRF protection for easier local development (rate limiting on unless CROSSBAR_RATE_LIMIT=false)
 - **Production mode**: Enables full security features
 
 For details on configuring the environment, see [ENVIRONMENT.md](ENVIRONMENT.md).

crossbar_llm/backend/config.py

@@ -15,18 +15,22 @@
 IS_PRODUCTION = ENV == "production"
 IS_DEVELOPMENT = not IS_PRODUCTION
 
+# Rate limit: enforced by default. Set CROSSBAR_RATE_LIMIT=false or 0 to disable.
+_rate_limit_env = os.getenv("CROSSBAR_RATE_LIMIT", "").lower()
+RATE_LIMITING_ENABLED = _rate_limit_env not in ("false", "0")
+
 # Environment-specific settings
 SETTINGS = {
     "csrf_enabled": IS_PRODUCTION,
-    "rate_limiting_enabled": IS_PRODUCTION,
+    "rate_limiting_enabled": RATE_LIMITING_ENABLED,
     "debug_logging": IS_DEVELOPMENT,
     # Rate limiting settings
     "rate_limits": {
-        # Use a very large number in development mode instead of infinity
-        # to avoid JSON serialization issues
-        "minute": 6 if IS_PRODUCTION else 10000000,  # Requests per minute
-        "hour": 20 if IS_PRODUCTION else 10000000,  # Requests per hour
-        "day": 50 if IS_PRODUCTION else 10000000,  # Requests per day
+        # Use production limits when rate limiting is enabled; otherwise use
+        # very large numbers (instead of infinity) to avoid JSON serialization issues
+        "minute": 6 if RATE_LIMITING_ENABLED else 10000000,  # Requests per minute
+        "hour": 20 if RATE_LIMITING_ENABLED else 10000000,  # Requests per hour
+        "day": 50 if RATE_LIMITING_ENABLED else 10000000,  # Requests per day
     },
 }
 

crossbar_llm/backend/main.py

@@ -319,7 +319,7 @@ def __init__(self):
 
         # Log with readable rate limit values
         if not self.enabled:
-            Logger.info("Rate limiting is disabled (development mode)")
+            Logger.info("Rate limiting is disabled")
         else:
             # Consider very high limits as effectively unlimited for display purposes
             minute_display = (