OWASP
diff --git a/‎copi.owasp.org/README.md‎
Lines changed: 60 additions & 0 deletions b/‎copi.owasp.org/README.md‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎copi.owasp.org/SECURITY.md‎
Lines changed: 203 additions & 0 deletions b/‎copi.owasp.org/SECURITY.md‎
Lines changed: 203 additions & 0 deletions
diff --git a/‎copi.owasp.org/config/config.exs‎
Lines changed: 11 additions & 0 deletions b/‎copi.owasp.org/config/config.exs‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎copi.owasp.org/lib/copi/application.ex‎
Lines changed: 2 additions & 0 deletions b/‎copi.owasp.org/lib/copi/application.ex‎
Lines changed: 2 additions & 0 deletions
@@ -75,6 +75,52 @@ To start your Phoenix server:
 
 Now you can visit [`localhost:4000`](http://localhost:4000) from your browser.
 
+## Security Features
+
+### Rate Limiting
+
+Copi implements IP-based rate limiting to protect against abuse and ensure availability for all users. This addresses CAPEC 212 (Functionality Misuse) attacks.
+
+**Features:**
+- **Game Creation Limiting**: Limits the number of games that can be created from a single IP address
+- **Connection Limiting**: Limits the number of WebSocket connections from a single IP address
+- **Configurable Limits**: All limits and time windows are configurable via environment variables
+
+**Configuration:**
+
+Set the following environment variables to customize rate limits:
+
+```bash
+# Maximum games per IP (default: 10)
+export MAX_GAMES_PER_IP=10
+
+# Time window for game creation in seconds (default: 3600 = 1 hour)
+export GAME_CREATION_WINDOW_SECONDS=3600
+
+# Maximum connections per IP (default: 50)
+export MAX_CONNECTIONS_PER_IP=50
+
+# Time window for connections in seconds (default: 300 = 5 minutes)
+export CONNECTION_WINDOW_SECONDS=300
+```
+
+**How it works:**
+- The rate limiter tracks requests by IP address
+- When a limit is exceeded, users receive a clear error message with a retry time
+- Expired entries are automatically cleaned up every 5 minutes
+- Rate limits are independent for game creation vs. connections
+- The system handles both IPv4 and IPv6 addresses
+- X-Forwarded-For headers are respected for reverse proxy deployments
+
+**For Reverse Proxy Deployments:**
+
+If deploying behind a reverse proxy (nginx, Apache, Cloudflare, etc.), ensure the proxy passes the real client IP:
+
+```nginx
+# Nginx example
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+```
+
 Ready to run in production? Please [check our deployment guides](https://hexdocs.pm/phoenix/deployment.html).
 
 ## More about Phoenix
@@ -97,6 +143,14 @@ Login to fly and create a PostgreSQL cluster. See: see: https://fly.io/dashboard
     fly launch --no-deploy
 
 Make a note of the host and name of the app and the name of the postgresql cluster.
+
+Configure rate limiting (optional, uses defaults if not set):
+
+    fly secrets set MAX_GAMES_PER_IP=10 --app <app name>
+    fly secrets set GAME_CREATION_WINDOW_SECONDS=3600 --app <app name>
+    fly secrets set MAX_CONNECTIONS_PER_IP=50 --app <app name>
+    fly secrets set CONNECTION_WINDOW_SECONDS=300 --app <app name>
+
 Then deploy the app from `./copi.owasp.org`
 
     fly mpg attach <cluster name> --app <app name>
@@ -139,6 +193,12 @@ Set your prefered app name instead of `<name>`
     heroku config:set SECRET_KEY_BASE=$(mix phx.gen.secret)
     heroku config:set POOL_SIZE=18
     heroku config:set PROJECT_PATH=copi.owasp.org # points to the subdirectory
+    
+    # Optional: Configure rate limiting (uses defaults if not set)
+    heroku config:set MAX_GAMES_PER_IP=10
+    heroku config:set GAME_CREATION_WINDOW_SECONDS=3600
+    heroku config:set MAX_CONNECTIONS_PER_IP=50
+    heroku config:set CONNECTION_WINDOW_SECONDS=300
 
 ### Heroku deploy
 
 
@@ -0,0 +1,203 @@
+# Security Implementation for Copi
+
+This document describes the security measures implemented in Copi to protect against abuse and ensure service availability.
+
+## Overview
+
+Copi has implemented IP-based rate limiting to protect against **CAPEC 212 (Functionality Misuse)** attacks. These protections help ensure that the service remains available for all legitimate users by preventing a single source from overwhelming the system.
+
+## Implemented Protections
+
+### 1. Game Creation Rate Limiting
+
+**Purpose**: Prevents a single IP address from creating an excessive number of games, which could lead to database exhaustion or denial of service.
+
+**Default Configuration**:
+- Maximum games per IP: 10
+- Time window: 3600 seconds (1 hour)
+
+**Behavior**:
+- Tracks game creation attempts by IP address
+- When the limit is exceeded, users receive a clear error message
+- The limit resets after the time window expires
+- Different IP addresses have independent limits
+
+**Configuration**:
+```bash
+export MAX_GAMES_PER_IP=10
+export GAME_CREATION_WINDOW_SECONDS=3600
+```
+
+### 2. WebSocket Connection Rate Limiting
+
+**Purpose**: Prevents a single IP address from opening excessive WebSocket connections, which could exhaust server resources.
+
+**Default Configuration**:
+- Maximum connections per IP: 50
+- Time window: 300 seconds (5 minutes)
+
+**Behavior**:
+- Tracks connection attempts by IP address
+- When the limit is exceeded, connections are rejected with an error message
+- The limit resets after the time window expires
+- Does not affect existing active connections
+
+**Configuration**:
+```bash
+export MAX_CONNECTIONS_PER_IP=50
+export CONNECTION_WINDOW_SECONDS=300
+```
+
+## Technical Implementation
+
+### Architecture
+
+The rate limiting system consists of several components:
+
+1. **Copi.RateLimiter** (`lib/copi/rate_limiter.ex`)
+   - GenServer that maintains rate limit state
+   - Tracks requests per IP address and action type
+   - Automatically cleans up expired entries every 5 minutes
+   - Provides a simple API for checking and recording actions
+
+2. **CopiWeb.Plugs.RateLimiter** (`lib/copi_web/plugs/rate_limiter.ex`)
+   - Plug for HTTP request rate limiting
+   - Extracts IP addresses from connections
+   - Handles X-Forwarded-For headers for reverse proxies
+   - Returns proper HTTP 429 status codes when limits are exceeded
+
+3. **LiveView Integration**
+   - Game creation rate limiting in `CopiWeb.GameLive.CreateGameForm`
+   - Connection rate limiting in `CopiWeb.GameLive.Index`
+   - Provides user-friendly error messages
+
+### IP Address Handling
+
+The system correctly handles:
+- IPv4 addresses (e.g., 192.168.1.1)
+- IPv6 addresses (e.g., 2001:db8::1)
+- X-Forwarded-For headers (for reverse proxy deployments)
+- Multiple IP addresses in X-Forwarded-For (uses the first one)
+
+### Rate Limit Response Headers
+
+When rate limiting is active, the following headers are included in responses:
+
+- `X-RateLimit-Remaining`: Number of requests remaining in the current window
+- `Retry-After`: Seconds until the rate limit resets (only included when rate limited)
+
+### Error Messages
+
+Users who exceed rate limits receive clear, informative error messages:
+
+```
+Rate limit exceeded. Too many games created from your IP address.
+Please try again in 3456 seconds.
+This limit helps ensure service availability for all users.
+```
+
+## Deployment Considerations
+
+### Reverse Proxy Configuration
+
+If deploying behind a reverse proxy (nginx, HAProxy, Cloudflare, etc.), ensure the real client IP is passed through:
+
+**Nginx**:
+```nginx
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+```
+
+**Apache**:
+```apache
+RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
+```
+
+**Cloudflare**:
+Cloudflare automatically sets the CF-Connecting-IP header. The X-Forwarded-For header should also be present.
+
+### Monitoring
+
+Monitor the following metrics to detect abuse or adjust rate limits:
+
+- Rate limit rejections (logged as warnings)
+- Rate limit state size (number of tracked IPs)
+- 429 HTTP responses
+- Flash messages about rate limiting
+
+### Adjusting Rate Limits
+
+Rate limits can be adjusted based on your deployment needs:
+
+**For Development/Testing**:
+```bash
+export MAX_GAMES_PER_IP=100
+export MAX_CONNECTIONS_PER_IP=200
+```
+
+**For High-Traffic Production**:
+```bash
+export MAX_GAMES_PER_IP=5
+export GAME_CREATION_WINDOW_SECONDS=7200  # 2 hours
+export MAX_CONNECTIONS_PER_IP=30
+export CONNECTION_WINDOW_SECONDS=600  # 10 minutes
+```
+
+**For Low-Traffic/Internal Use**:
+```bash
+export MAX_GAMES_PER_IP=50
+export MAX_CONNECTIONS_PER_IP=100
+```
+
+## Testing
+
+The implementation includes comprehensive tests:
+
+- **Unit tests** for the RateLimiter GenServer (`test/copi/rate_limiter_test.exs`)
+- **Integration tests** for the RateLimiter Plug (`test/copi_web/plugs/rate_limiter_test.exs`)
+
+Run tests:
+```bash
+mix test
+```
+
+Run specific rate limiter tests:
+```bash
+mix test test/copi/rate_limiter_test.exs
+mix test test/copi_web/plugs/rate_limiter_test.exs
+```
+
+## Future Enhancements
+
+Potential future security enhancements (not currently implemented):
+
+1. **Authentication Integration**
+   - Associate rate limits with authenticated users
+   - Different limits for authenticated vs. anonymous users
+   - Per-user rate limiting instead of just per-IP
+
+2. **Geographic Rate Limiting**
+   - Different limits based on geographic location
+   - Blocking or stricter limits for high-risk regions
+
+3. **Adaptive Rate Limiting**
+   - Automatically adjust limits based on system load
+   - Stricter limits during high traffic periods
+
+4. **CAPTCHA Integration**
+   - Require CAPTCHA after repeated rate limit violations
+   - Optional CAPTCHA for game creation
+
+5. **Rate Limit Dashboard**
+   - Admin interface to view current rate limit state
+   - Ability to manually block/unblock IPs
+   - Real-time monitoring of rate limit violations
+
+## Reporting Security Issues
+
+If you discover a security vulnerability in Copi, please report it to the OWASP Cornucopia team through the [GitHub Security Advisories](https://github.com/OWASP/cornucopia/security/advisories) page.
+
+## References
+
+- [CAPEC-212: Functionality Misuse](https://capec.mitre.org/data/definitions/212.html)
+- [OWASP API Security Top 10 - API4:2023 Unrestricted Resource Consumption](https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/)
+- [Phoenix Framework Security](https://hexdocs.pm/phoenix/security.html)
@@ -27,6 +27,17 @@ config :copi, CopiWeb.Endpoint,
 
 config :copi, env: Mix.env()
 
+# Configure rate limiting to prevent abuse (CAPEC 212 - Functionality Misuse)
+config :copi, Copi.RateLimiter,
+  # Maximum number of games that can be created from a single IP in the time window
+  max_games_per_ip: System.get_env("MAX_GAMES_PER_IP", "10") |> String.to_integer(),
+  # Time window in seconds for game creation rate limiting (default: 1 hour)
+  game_creation_window_seconds: System.get_env("GAME_CREATION_WINDOW_SECONDS", "3600") |> String.to_integer(),
+  # Maximum number of WebSocket connections from a single IP in the time window
+  max_connections_per_ip: System.get_env("MAX_CONNECTIONS_PER_IP", "50") |> String.to_integer(),
+  # Time window in seconds for connection rate limiting (default: 5 minutes)
+  connection_window_seconds: System.get_env("CONNECTION_WINDOW_SECONDS", "300") |> String.to_integer()
+
 # Configure tailwind (the version is required)
 config :tailwind,
   version: "3.4.0",
 
@@ -15,6 +15,8 @@ defmodule Copi.Application do
       {Phoenix.PubSub, name: Copi.PubSub},
       # Start the DNS clustering
       {DNSCluster, query: Application.get_env(:copi, :dns_cluster_query) || :ignore},
+      # Start the Rate Limiter for security
+      Copi.RateLimiter,
       # Start the Endpoint (http/https)
       CopiWeb.Endpoint
       # Start a worker by calling: Copi.Worker.start_link(arg)