My Vaadin application runs behind a NGINX. I want to add rate limiting (on NGINX level) but I’m not sure about the configuration. Because all states, … are handled on server I’m not sure regarding the number of allowed web service calls. Of course, it depends on the build application, but is there any recommendation?
use static pages hosted on your NGINX for public pages
use an external security provider so that all Vaadin pages are protected / not accessible without authentication
(if you really need to; because it’s not really needed anymore) add a 1000 request per minute limit which should be sufficient for 1-50 users from a single IP depending on their “click rate” and application design