Currently, CommandBox's Undertow server doesn't include native rate limiting capabilities. This security feature would help protect CF applications against malicious traffic.

Desired Functionality:

• Limit requests per IP address within a specified timeframe

• Configure via server.json, similar to other server settings

• Configurable options for:

  • Maximum requests per time window

  • Time window duration

  • Response status code (e.g., 429)

  • Optional IP whitelist

Background:
This came up in a forum discussion where a developer suggested it could be added as an Undertow handler. Having this built into CommandBox would provide important security functionality without requiring Java expertise or external proxy servers.

Use Case:
Protecting CF applications from:

• Rapid vulnerability scanning

• Bot abuse

• Brute force attempts

• DDoS attacks

This would be similar to nginx's limit_req_zone functionality but native to CommandBox.