Skip to content

403 Response Code #4165

New issue
New issue
Open
Open
403 Response Code#4165
Labels
needs/kindneeds/triage
@LaurenceJJones

Description

@LaurenceJJones
LaurenceJJones
opened on Dec 19, 2025

Update (09/01/2026, 11:00 UTC)

Extensive timeline is moved to details section for clarity

Details

Update (05/01/2026, 11:00 UTC)

Rate limits will be reintroduced shortly, please follow below.

Update (23/12/2025, 15:00 UTC)

We have decided not to re-enable rate limits till the new year, however, please fix your deployments as soon as possible as per below.

Update (23/12/2025, 11:00 UTC)

We have temporarily lifted rate limits while we investigate reports that some Enterprise customers—who should be exempt—may still be impacted.

Important: this is a temporary measure. Rate limiting will be re-enabled.
Please follow the instructions below now to ensure you are not affected when enforcement resumes.

Update (23/12/2025 08:00 UTC)

Thank you to everyone who has already taken action to resolve the issue, whether on Pangolin or standard deployments. We’ve seen over 5,000 instances significantly reduce their API call volume, and we appreciate the quick response from the community.

That said, messages containing threats or abusive language sent to our support or security address are not acceptable. We understand this change has caused frustration, but we need to keep communications respectful so we can focus on helping users and maintaining service reliability.

To reduce friction for users who have already fixed their configuration, we’ve adjusted the rate-limiting behaviour to be more forgiving. If you’ve corrected your setup (per the guidance shared previously) and stop the CrowdSec container or service for at least one hour, the rate limit should now be lifted automatically. Previously, the automatic window was eight hours, which we recognize was too long for users who prefer not to reach out.

We are continuing to actively monitor the situation and will make further adjustments if needed.

Please read https://www.crowdsec.net/blog/introducing-rate-limiting-crowdsec-central-api

Non pangolin users

You may be rate limited if you have multiple instances behind an egress IP or you didn't notice that CrowdSec was restarting in a loop. Ensure you have fixed the problem with CrowdSec or with an Egress IP (your running lots of CrowdSec instances) then you may fall into our Enterprise status, however, it most likely that a CrowdSec was looping and causing excessive calls to CAPI.

Pangolin users read

https://github.com/orgs/fosrl/discussions/2119

follow the steps above and reach out below to remove the rate limit or wait 1 hour before bringing crowdsec up again

if you fail to wait or keep crowdsec running it will prolong the rate limit

Here is an email template

Details 
Hi,

I have updated my Pangolin healthcheck and redeployed the stack (`docker compose up -d`). The healthcheck is now configured to point to **LAPI** (not **CAPI**) and I have verified this using `docker inspect <container_id>`.

Could you temporarily lift the rate limit for my server so I can confirm everything is working as expected?

Server IP: `<your_pangolin_ip>`

Additional details (optional):

* Current healthcheck command/output: `<paste relevant docker inspect output>`
* Relevant logs: `<paste logs here>`

Thank you,
`<your_name>`

If you believe you were wrongfully rate limited, contact: security@crowdsec.net
(Include approximate time, source IP, and relevant logs/errors.)

we operate in european timezones please expect a response during daylight hours

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs/kindneeds/triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions