Skip to main content
Application Security Standards
Category: DevSecOps

Rate Limiting

Also known as: Request Rate Limiting, Traffic Rate Limiting
Simply put

Rate limiting is a technique that controls how often a user or system can perform an action or send requests within a given time period. It is used to prevent any single source from overwhelming a system by consuming too many resources too quickly. This helps protect services from abuse, automated attacks, and accidental overload.

Formal definition

Rate limiting is a network and application-layer control mechanism that enforces a threshold on the frequency or volume of requests sent or received by a system within a defined time window. Typically implemented at the network interface, API gateway, or application layer, it regulates inbound and outbound traffic to maintain system stability, prevent resource exhaustion, and mitigate abuse patterns such as credential stuffing, scraping, or denial-of-service attempts. Enforcement may be scoped per IP address, user identity, API key, or other client identifier, and is commonly implemented using algorithms such as token bucket, leaky bucket, fixed window, or sliding window counters. Rate limiting operates at the traffic-processing level and can restrict excessive request rates at runtime, though it typically cannot distinguish between legitimate high-volume users and malicious actors without additional contextual signals.

Why it matters

Without rate limiting, a single client or automated process can send requests at arbitrary volume, potentially exhausting server CPU, memory, database connections, or downstream API quotas. This resource exhaustion can degrade service availability for all users, regardless of whether the cause is a deliberate attack or an unintentionally aggressive client. Services exposed to the internet are particularly vulnerable because unauthenticated endpoints have no inherent constraint on how frequently they can be called.

Who it's relevant to

API and Backend Developers
Developers building APIs or backend services need to implement rate limiting to prevent individual clients from consuming disproportionate resources. This includes selecting an appropriate algorithm, choosing the right scoping identifier (IP, user, API key), and ensuring that rate limit responses communicate retry timing clearly to callers.
Security Engineers
Security engineers use rate limiting as a defense-in-depth control against automated abuse patterns such as credential stuffing, brute-force login attempts, account enumeration, and scraping. They must also account for its limitations: rate limiting alone typically cannot distinguish a legitimate high-volume user from a malicious actor without additional contextual signals, and determined adversaries may distribute requests across many IP addresses to evade per-IP thresholds.
Platform and Infrastructure Engineers
Infrastructure teams are responsible for enforcing rate limiting at the network or gateway layer, often using API gateways, reverse proxies, or CDN-level controls. They must ensure that rate limiting state is consistent across distributed or horizontally scaled deployments, which typically requires a shared data store or coordination mechanism rather than in-process counters.
Product and Operations Teams
Product managers and site reliability engineers need to understand rate limiting thresholds to avoid inadvertently blocking legitimate high-volume usage patterns, such as batch processing clients or partner integrations. Misconfigured thresholds that are too restrictive can degrade user experience, while thresholds that are too permissive may fail to provide meaningful protection against abuse.

Inside Rate Limiting

Request Threshold
The defined maximum number of requests permitted from a client or identity within a specified time window, beyond which further requests are throttled or rejected.
Time Window
The interval over which request counts are measured, commonly implemented as fixed windows, sliding windows, or token bucket intervals, each with different burst tolerance characteristics.
Client Identity Scope
The attribute used to identify and group requests for counting purposes, typically IP address, authenticated user identity, API key, or a combination of these.
Enforcement Response
The action taken when a threshold is exceeded, most commonly returning an HTTP 429 Too Many Requests status code, optionally accompanied by Retry-After headers to indicate when the client may resume.
Throttling vs. Hard Blocking
A distinction in enforcement strategy where throttling slows or queues excess requests while hard blocking outright rejects them. The chosen approach affects both user experience and abuse resistance.
Granularity Levels
Rate limits may be applied at multiple layers including global API level, per-endpoint level, per-user level, and per-tenant level, allowing differentiated policies based on sensitivity or resource cost of specific operations.
Distributed State Management
In horizontally scaled deployments, rate limit counters must be stored in a shared, low-latency data store such as Redis to ensure consistent enforcement across multiple application instances.
Exemptions and Allowlists
Configurations that permit certain trusted clients, internal services, or elevated-privilege users to bypass or receive higher thresholds, which must be carefully managed to avoid creating exploitable gaps.

Common questions

Answers to the questions practitioners most commonly ask about Rate Limiting.

Does rate limiting prevent DDoS attacks?
Rate limiting is not a DDoS mitigation tool and should not be relied upon for that purpose. It is designed to regulate request frequency from individual clients or identifiers under normal to moderate load conditions. Volumetric DDoS attacks typically overwhelm network or application infrastructure before rate limiting logic can meaningfully intervene. Dedicated DDoS mitigation services, CDN-layer protections, and network-level controls are the appropriate mechanisms for that threat.
Does rate limiting stop credential stuffing or brute force attacks?
Rate limiting can slow credential stuffing and brute force attempts when attackers operate from a small number of sources, but it does not reliably prevent them. Distributed attacks that spread requests across many IP addresses or rotate identifiers can stay below per-client thresholds while still achieving high aggregate request volume. Rate limiting should be combined with multi-factor authentication, credential breach detection, and behavioral anomaly controls to address these threats more comprehensively.
What identifier should I use as the basis for rate limiting?
The appropriate identifier depends on the endpoint and threat model. IP address is common but can penalize shared egress points such as corporate NAT gateways or penalize legitimate users behind the same address as an attacker. Authenticated user identity is more precise for endpoints behind authentication. API keys or tokens work well for machine-to-machine contexts. In many cases, layering multiple identifiers, for example applying both IP-based and user-based limits, provides more reliable coverage than relying on a single dimension.
Where in the stack should rate limiting be enforced?
Rate limiting is typically enforced at the API gateway, reverse proxy, or load balancer layer so that limits are applied before requests reach application servers. Enforcing limits only within application code is generally less reliable because the application process must still handle the request to evaluate it. For authenticated endpoints, application-layer enforcement using the authenticated identity can complement gateway-layer controls. The appropriate layer depends on what identifier is available at each point in the request path.
How do I choose the right threshold values for rate limits?
Thresholds should be derived from observed baseline traffic patterns for the specific endpoint, not from generic defaults. Analyze normal request rates across representative time windows, including peak usage periods, before setting limits. Thresholds that are too low will generate false positives and block legitimate users. Thresholds that are too high will fail to constrain abusive behavior. Iterative tuning after deployment, informed by monitoring data on both blocked requests and user impact, is typically necessary to arrive at operationally appropriate values.
What should happen when a rate limit is exceeded?
When a limit is exceeded, the server should return an HTTP 429 Too Many Requests response. The response should include a Retry-After header indicating when the client may resume requests, which allows well-behaved clients to back off automatically. Avoid silently dropping requests or returning misleading error codes, as this makes client-side debugging difficult. Rate limit events should be logged with sufficient detail to support monitoring and incident investigation, including the identifier that triggered the limit and the endpoint involved.

Common misconceptions

Rate limiting alone is sufficient to prevent credential stuffing and brute force attacks.
Rate limiting reduces the velocity of such attacks but typically cannot stop them entirely. Attackers may distribute requests across many IP addresses or rotate credentials slowly to stay under thresholds. Complementary controls such as multi-factor authentication, CAPTCHA, and anomaly detection are generally required.
IP-based rate limiting reliably identifies individual users.
Many legitimate users may share a single IP address due to NAT, corporate proxies, or mobile carrier infrastructure. Applying strict per-IP limits in these environments may inadvertently throttle large numbers of legitimate users. Authenticated identity scopes are more precise where available.
Rate limiting is only relevant at the API gateway or network perimeter.
Effective rate limiting may need to be enforced at multiple layers including the application itself, because gateway-level controls can be bypassed by internal traffic, misconfigured routing, or direct access paths that circumvent the perimeter.

Best practices

Apply rate limits at multiple granularity levels (global, per-endpoint, per-user) rather than relying on a single threshold, giving higher protection to sensitive operations such as authentication, password reset, and payment endpoints.
Use authenticated user identity or API key as the primary scoping attribute where possible, and treat IP-based limiting as a supplementary control rather than the sole mechanism.
Return HTTP 429 responses with a Retry-After header so that well-behaved clients can back off gracefully, reducing unnecessary retry storms that may amplify load.
Store rate limit counters in a shared, low-latency data store such as Redis when running multiple application instances to prevent inconsistent enforcement across nodes.
Regularly review and adjust thresholds based on observed legitimate traffic patterns to avoid false positives that degrade the experience of legitimate users while ensuring limits remain meaningful against abuse scenarios.
Audit exemptions and allowlists on a defined schedule to confirm that bypasses granted to trusted clients or internal services remain intentional and do not introduce exploitable gaps as the environment changes.