Issue Summary

Jira REST endpoint responses contain 'setCookies' header. In case of using REST client that includes cookies in subsequent request by default, rate limiting will no longer apply to these requests because they will contain characteristics classifying them as originating from UI traffic.

The affected clients may include not only client applications like Postman but also rest client libraries for programming languages.

Steps to Reproduce

Prerequisite: REST calls performed using Postman

1. Start Jira DC Node
2. Set rate limit to allow 1 request per 1 minute with burst size 1
3. Send a request to rest/api/2/myself with basic authentication
4. Observe that it's not rate limited but it response does contain rate limiting headers (X-RateLimit-Remaining - 0 being most significant)
5. Repeat the request from 3. within 60 seconds

Expected Results

Request gets rate limited. Response headers contain correct information about rate limiting

Actual Results

Request does not get rate limited and its response does not contain rate limiting information

Workaround

Depending on the REST client app/library used, disabling cookie preservation for subsequent requests causes the requests be correctly rate limited.