luarx opened a new issue, #12321: URL: https://github.com/apache/apisix/issues/12321
### Current Behavior OPTIONS requests are not being rate-limited by the limit-count plugin when the CORS plugin is also configured, even when the limit-count plugin is assigned a higher priority I have checked and CORS plugin has more priority than limit-count: - CORS: [4000](https://github.com/apache/apisix/blob/master/apisix/plugins/cors.lua#L149) - limit-count: [1002](https://github.com/apache/apisix/blob/master/apisix/plugins/limit-count.lua#L24) But specifying a custom priority for each plugin should prioritise limit-count over CORS ### Expected Behavior I want OPTIONS requests (preflight CORS headers) to be rate-limited when using CORS plugin when specifying custom priorities. This is to prevent some DDoS attacks ### Error Logs _No response_ ### Steps to Reproduce Configure this route { "uris": [ "/example/*" ], "name": "example", "methods": [ "OPTIONS" ], "plugins": { "cors": { "_meta": { "priority": 20 }, "allow_credential": false, "allow_headers": "*", "allow_methods": "*", "allow_origins": "*", "max_age": 5 }, "limit-count": { "_meta": { "priority": 5000 }, "allow_degradation": false, "count": 5, "key": "remote_addr", "key_type": "var", "policy": "local", "rejected_code": 429, "show_limit_quota_header": true, "time_window": 1 } }, "upstream_id": "1e7e3c71", "status": 1 } ### Environment - APISIX version (run `apisix version`): v3.12.0 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
