SOC II Audit Exposes Zero Rate Limiting Across Entire API, Exposing Critical Attack Surface

A fresh SOC II audit completed on April 26, 2026, has uncovered a critical security deficiency: zero routes across the entire codebase implement rate limiting. The finding, classified as CRITICAL severity under API Security and Availability, identified that no per-endpoint, per-user, per-IP, or distributed rate limiting mechanisms exist—leaving the platform vulnerable to a broad spectrum of abuse and attack vectors.

The audit examined the full API surface and found that critical authentication and enumeration endpoints lack any form of request throttling. Specifically, `POST /api/auth/login` permits unlimited authentication attempts with no brute force protection, `POST /api/api-keys` allows unrestricted API key generation attempts, and `GET /api/users` enables unrestricted account enumeration. The absence of distributed rate limiting via Redis, Memcached, or equivalent systems means that even multi-instance deployments offer no coordinated defense against high-volume attacks or distributed denial-of-service scenarios.

The risk profile is severe and multi-dimensional. Attackers can mount automated credential stuffing campaigns against the login endpoint, exploit timing-based account enumeration on user lookup routes, and exhaust API resources through unrestricted request volume. The lack of DDoS protection means public-facing endpoints remain exposed to traffic-based disruption. The acceptance criteria established by auditors require implementation of rate limiting middleware, distributed throttling infrastructure—Redis recommended for multi-instance environments—and per-route protection across all sensitive endpoints. Until these controls are deployed, the platform's authentication integrity, data exposure posture, and service availability remain under immediate threat.