Docs
✨ Features
Automated Moderation

Automated Moderation System (optional)

The Automated Moderation System uses a scoring mechanism to track user violations. As users commit actions like excessive logins, registrations, or messaging, they accumulate violation scores. Upon reaching a set threshold, the user and their IP are temporarily banned. This system ensures platform security by monitoring and penalizing rapid or suspicious activities.

In production, you should have Cloudflare or some other DDoS protection in place to really protect the server from excessive requests, but these changes will largely protect you from the single or several bad actors targeting your deployed instance for proxying.

Notes

  • Uses Caching for basic security and violation logging (bans, concurrent messages, exceeding rate limits)
    • In the near future, I will add Redis support for production instances, which can be easily injected into the current caching setup
  • Exceeding any of the rate limiters (login/registration/messaging) is considered a violation, default score is 1
  • Non-browser origin is a violation
  • Default score for each violation is configurable
  • Enabling any of the limiters and/or bans enables caching/logging
  • Violation logs can be found in the data folder, which is created when logging begins: librechat/data
    • Only violations are logged
    • violations.json keeps track of the total count for each violation per user
    • logs.json records each individual violation per user
  • Ban logs are stored in MongoDB under the logs collection. They are transient as they only exist for the ban duration
    • If you would like to remove a ban manually, you would have to remove them from the database manually and restart the server
    • Redis support is also planned for this.

Rate Limiter Types

Login and Registration Rate Limiting

Prevents brute force attacks and spam registrations by limiting how many login attempts or new account registrations can be made from a single IP address within a time window.

Message Rate Limiting

Controls how frequently users can send messages to prevent spam and abuse:

  • Concurrent Message Limiting: Limits how many messages a user can send simultaneously (prevents users from opening multiple tabs to bypass limits)
  • Message Frequency Limiting: Controls how often messages can be sent, configurable by both IP address and individual user

Import Conversation Rate Limiting

Prevents abuse of the conversation import feature by limiting how many conversations can be imported within a time window. This helps prevent:

  • Mass data imports that could overwhelm the server
  • Automated scripts attempting to flood the system with imported data
  • Resource exhaustion from processing large numbers of imports

Default limits:

  • IP-based: 100 imports per minute
  • User-based: 50 imports per minute (disabled by default)

Conversation Forking Rate Limiting

Controls how often users can create forks (copies) of existing conversations. This prevents:

  • Excessive database growth from mass conversation duplication
  • Resource exhaustion from fork operations
  • Abuse of the forking feature for spam or data harvesting

Default limits:

  • IP-based: 30 forks per minute
  • User-based: 7 forks per minute (disabled by default)

File Upload Rate Limiting

Configured through the librechat.yaml file, this controls how often users can upload files to prevent storage abuse and bandwidth exhaustion.

Text-to-Speech (TTS) Rate Limiting

Controls how often users can request text-to-speech conversions. This prevents:

  • Excessive API usage costs
  • Server resource exhaustion from audio generation
  • Abuse of the TTS feature for data harvesting

Configured through the librechat.yaml file with customizable limits per IP and per user.

Speech-to-Text (STT) Rate Limiting

Controls how often users can submit audio for transcription. This prevents:

  • Excessive API usage costs
  • Server resource exhaustion from audio processing
  • Abuse of the STT feature for unauthorized transcription services

Configured through the librechat.yaml file with customizable limits per IP and per user.

Password Reset Rate Limiting

Controls how often users can request password reset emails. This prevents:

  • Email bombing attacks
  • Abuse of the password reset system
  • Excessive email service usage

Email Verification Rate Limiting

Controls how often users can request email verification messages. This prevents:

  • Spam attacks through the verification system
  • Email service abuse
  • Resource exhaustion from verification requests

Tool Call Rate Limiting

Controls how often users can make tool/plugin calls. This prevents:

  • Excessive API usage from integrated tools
  • Abuse of external service integrations
  • Resource exhaustion from tool processing

Conversation Access Rate Limiting

Controls how often users can access or attempt to access conversations. This prevents:

  • Unauthorized access attempts
  • Data scraping attacks
  • Excessive database queries

Rate Limiters

The project’s current rate limiters are as follows (see below under setup for default values):

  • Login and registration rate limiting
  • Optional: Concurrent Message limiting (only X messages at a time per user)
  • Optional: Message limiting (how often a user can send a message, configurable by IP and User)
  • Optional: Import conversation limiting (how often a user can import conversations, configurable by IP and User)
  • Optional: Conversation forking limiting (how often a user can fork conversations, configurable by IP and User)
  • Optional: Text-to-Speech (TTS) limiting (configurable through librechat.yaml config file)
  • Optional: Speech-to-Text (STT) limiting (configurable through librechat.yaml config file)
  • Optional: File Upload limiting (configurable through librechat.yaml config file)

For further details, refer to the configuration guide provided here: Automated Moderation

Import ConversationsFile Context (OCR)