As a security measure, LiveAgent uses request rate-limiting in several places of the application.
- The agent as well as visitor login and change password can be attempted 10 times per hour. Successful login resets the counter.
- Password reset can be requested 5 times per hour. After 20 submitted password reset forms with incorrect values all password reset requests are invalidated as protection against brute force attacks.
- API requests are limited to 180 per minute per API key.
- New visitor registrations are limited to 5 per minute per IP address or 500 per hour total.
- Contact forms can be submitted a maximum of 2 times per minute per IP address.
- Knowledgebase searches are limited to 100 per minute.
- Custom domain setting and custom knowledge base domain can be saved 10 times per minute.
- The file can be uploaded from URL a maximum 20 times per minute per domain.
- The HTTP rate limit is 300 requests per second per IP address (on each load balancer). On top of this, we limit the number of TCP connections to 300 per second per IP address. Users that reach the connection limit will see new connections being refused.