Hello,

I fear I found a security hole in the white list feature by ClientKeys. In order to make this configuration to work:

<whitelists>
      <add policyType="2" entry="some-user" />
</whitelists>

you have to configure this setting:

  <throttlePolicy clientThrottling="true">

whithout enabled clientThrottling, the whitelists are ignored.

The problem with that is that enabling clientThrottling is IMHO a security hole because this allows the hackers bypassing the throttling by sending random clientIds.

It would be great if the ClientKey white lists would work as well without enabled clientThrottling.

many thanks for the great project and your support!

best
Lukas