Review: Add rate limiting to REST API endpoints

Bug #120: API Rate Limiting Missing

Severity: MEDIUM

Description

REST API endpoints may lack rate limiting, allowing abuse or enumeration attacks.

Vulnerable Code Location

• REST API controllers
• API authentication
• Request handling

Impact

• API abuse
• Denial of service
• Data enumeration
• Resource exhaustion

Recommended Fix

1. Implement rate limiting per user/IP
2. Configure limits per endpoint
3. Log rate limit violations
4. Implement exponential backoff
5. Return appropriate 429 responses

HIPAA/PIPEDA Compliance

API security requirements.

Potential vulnerability identified from JunoEMR security analysis - requires verification in current CARLOS EMR codebase