Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.dualship.run/llms.txt

Use this file to discover all available pages before exploring further.

Each project can be configured with settings that control logging behavior, rate limiting, CORS headers, and sensitive data masking.

Settings Structure

{
  "logging": {
    "enabled": true
  },
  "rate_limit": {
    "enabled": false,
    "requests_per_min": 1000,
    "burst_size": 100
  },
  "cors": {
    "enabled": false,
    "allowed_origins": ["*"],
    "allowed_methods": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
    "allowed_headers": ["Origin", "Content-Type", "Accept", "Authorization"],
    "allow_credentials": false,
    "max_age": 86400
  },
  "log_filters": {
    "masked_keywords": []
  }
}

Logging

Control whether runtime logs are captured for flow executions.
SettingTypeDefaultDescription
logging.enabledbooleantrueEnable/disable runtime logging for all flows
When disabled, no execution logs are written to the logging system. This can be useful for high-volume projects where logging overhead is a concern. Individual nodes can also control their own logging with the log field, but this project-level setting takes precedence when set to false.

Rate Limiting

Protect your APIs from abuse by limiting request rates.
SettingTypeDefaultDescription
rate_limit.enabledbooleanfalseEnable/disable rate limiting
rate_limit.requests_per_minnumber1000Maximum requests per minute per IP
rate_limit.burst_sizenumber100Additional burst capacity above the limit

How Rate Limiting Works

Rate limits are applied per project + IP address combination. When a client exceeds the limit, subsequent requests receive a 429 Too Many Requests response until the rate limit window resets.

Rate Limit Response

When the rate limit is exceeded: 
HTTP 429 Too Many Requests

Headers:
  X-RateLimit-Limit: 1000
  X-RateLimit-Remaining: 0
  X-RateLimit-Reset: 1704067200
  Retry-After: 45

Body:
{"error": "rate limit exceeded", "retry_after": 45}
HeaderDescription
X-RateLimit-LimitThe rate limit ceiling
X-RateLimit-RemainingRemaining requests in current window
X-RateLimit-ResetUnix timestamp when the limit resets
Retry-AfterSeconds until requests are allowed again

CORS

Configure Cross-Origin Resource Sharing headers for browser-based API access.
SettingTypeDefaultDescription
cors.enabledbooleanfalseEnable/disable CORS headers
cors.allowed_originsstring[]["*"]Allowed origins (supports wildcards)
cors.allowed_methodsstring[]Standard methodsAllowed HTTP methods
cors.allowed_headersstring[]Standard headersAllowed request headers
cors.allow_credentialsbooleanfalseAllow credentials in requests
cors.max_agenumber86400Preflight cache duration (seconds)

Wildcard Origins

You can use wildcards in allowed_origins: 
{
  "cors": {
    "enabled": true,
    "allowed_origins": [
      "https://example.com",
      "https://*.example.com",
      "http://localhost:*"
    ]
  }
}

Default Headers

When CORS is enabled, these are the default allowed values: Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS Headers: Origin, Content-Type, Accept, Authorization

Log Filters

Mask sensitive data in logs to protect user privacy and comply with security requirements.
SettingTypeDefaultDescription
log_filters.masked_keywordsstring[][]Field names to mask in logs

How Masking Works

Any field matching a keyword in masked_keywords will have its value replaced with [MASKED] in logs. Masking is:
  • Case-insensitive: password matches Password, PASSWORD, etc.
  • Recursive: Works on nested objects and arrays
  • Non-destructive: Only affects logged data, not actual execution

Example

Configuration: 
{
  "log_filters": {
    "masked_keywords": ["password", "api_key", "secret", "token"]
  }
}
Original request data: 
{
  "username": "john",
  "password": "secret123",
  "api_key": "sk_live_xxx",
  "profile": {
    "secret": "hidden_value"
  }
}
Logged data: 
{
  "username": "john",
  "password": "[MASKED]",
  "api_key": "[MASKED]",
  "profile": {
    "secret": "[MASKED]"
  }
}

Common Keywords to Mask

Consider masking these common sensitive fields:
  • password, passwd, pwd
  • api_key, apikey, api_secret
  • token, access_token, refresh_token
  • secret, secret_key
  • authorization, auth
  • credit_card, card_number, cvv
  • ssn, social_security

Caching

Project settings are cached in Redis with a 5-minute TTL. When you update settings via the API, the cache is automatically invalidated and new settings take effect immediately.

Examples

Enable Rate Limiting

{
  "rate_limit": {
    "enabled": true,
    "requests_per_min": 100,
    "burst_size": 20
  }
}

Configure CORS for a Frontend App

{
  "cors": {
    "enabled": true,
    "allowed_origins": ["https://app.example.com"],
    "allow_credentials": true
  }
}

Mask Sensitive Fields in Logs

{
  "log_filters": {
    "masked_keywords": ["password", "token", "api_key", "secret"]
  }
}

Disable Logging for High-Volume Project

{
  "logging": {
    "enabled": false
  }
}