From 0ca98bc84f58810c4bd6386d5e1acab5902e237e Mon Sep 17 00:00:00 2001
From: Vishnu Narayanan <iamwishnu@gmail.com>
Date: Thu, 29 Jan 2026 00:24:01 +0530
Subject: [PATCH] feat: add lightweight /health endpoint (#13386)

The existing /api health check endpoint creates a new Redis connection
on every request and checks both Redis and Postgres availability. During
peak traffic, this creates unnecessary load and can cause cascading
failures when either service is slow - instances get marked unhealthy,
traffic shifts to remaining instances, which then also fail health
checks.

The new /health endpoint:
  - Returns immediately with 200 {"status":"woot"}
  - Skips all middleware and authentication
  - No Redis or Postgres dependency
- Suitable for health checks that only need to verify the web server is
responding
---
 app/controllers/health_controller.rb       |  7 +++++++
 config/initializers/rack_attack.rb         |  6 ++++++
 config/routes.rb                           |  1 +
 spec/controllers/health_controller_spec.rb | 11 +++++++++++
 4 files changed, 25 insertions(+)
 create mode 100644 app/controllers/health_controller.rb
 create mode 100644 spec/controllers/health_controller_spec.rb

diff --git a/app/controllers/health_controller.rb b/app/controllers/health_controller.rb
new file mode 100644
index 000000000..fdf969a39
--- /dev/null
+++ b/app/controllers/health_controller.rb
@@ -0,0 +1,7 @@
+# Inherits from ActionController::Base to skip all middleware,
+# authentication, and callbacks. Used for health checks
+class HealthController < ActionController::Base # rubocop:disable Rails/ApplicationController
+  def show
+    render json: { status: 'woot' }
+  end
+end
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index fe40974f2..1f500243a 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -47,6 +47,12 @@ class Rack::Attack
 
   Rack::Attack.safelist('trusted IPs', &:allowed_ip?)
 
+  # Safelist health check endpoint so it never touches Redis for throttle tracking.
+  # This keeps /health fully dependency-free for ALB liveness checks.
+  Rack::Attack.safelist('health check') do |req|
+    req.path == '/health'
+  end
+
   ### Throttle Spammy Clients ###
 
   # If any single client IP is making tons of requests, then they're
diff --git a/config/routes.rb b/config/routes.rb
index 95b77d323..83aed5b79 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -35,6 +35,7 @@ Rails.application.routes.draw do
     resource :slack_uploads, only: [:show]
   end
 
+  get '/health', to: 'health#show'
   get '/api', to: 'api#index'
   namespace :api, defaults: { format: 'json' } do
     namespace :v1 do
diff --git a/spec/controllers/health_controller_spec.rb b/spec/controllers/health_controller_spec.rb
new file mode 100644
index 000000000..7eafdd589
--- /dev/null
+++ b/spec/controllers/health_controller_spec.rb
@@ -0,0 +1,11 @@
+require 'rails_helper'
+
+RSpec.describe 'Health Check', type: :request do
+  describe 'GET /health' do
+    it 'returns success status' do
+      get '/health'
+      expect(response).to have_http_status(:success)
+      expect(response.parsed_body['status']).to eq('woot')
+    end
+  end
+end