Home/Glossary/Rate Limiting

Rate Limiting

A technique to control the number of requests a user or system can make within a time window.

API SecurityAlso called: "throttling", "request limiting"

Rate limiting prevents abuse, ensures fair resource usage, and protects against attacks.

Common strategies

  • Fixed window: X requests per Y time period (simple but has burst issues).
  • Sliding window: Rolling time window (more accurate).
  • Token bucket: Accumulate tokens, spend on requests (allows bursts).
  • Leaky bucket: Fixed rate processing (smooths traffic).

Where applied

  • APIs: Prevent excessive calls (e.g., 1000/hour).
  • Login forms: Prevent brute force (e.g., 5/minute).
  • Public endpoints: Protect against DDoS.
  • Email sending: Prevent spam (e.g., 100/day).

Implementation

  • Store counters in Redis/Memcached.
  • Return 429 (Too Many Requests) status.
  • Include Retry-After header.
  • Provide rate limit headers (X-RateLimit-*).

User experience

  • Communicate limits clearly in documentation.
  • Provide feedback when limits are approached.
  • Offer higher tiers for legitimate high-volume users.

Related Tools

Related Articles

View all articles
Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Master the critical metrics behind biometric authentication systems including False Acceptance Rate (FAR), False Rejection Rate (FRR), and Crossover Error Rate (CER). Learn how to evaluate, tune, and deploy biometric systems across enterprise, consumer, and high-security environments.

Read article →
Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.

Read article →
Webhook Scaling & Performance: High-Volume Processing Architecture Guide

Webhook Scaling & Performance: High-Volume Processing Architecture Guide

Learn to build webhook systems that handle millions of events per day. Master queue-based processing, worker pools, rate limiting, batching strategies, and horizontal scaling patterns.

Read article →
AWS Bedrock Pricing Guide: On-Demand vs Provisioned Throughput

AWS Bedrock Pricing Guide: On-Demand vs Provisioned Throughput

Complete guide to AWS Bedrock pricing for Claude, Llama, Titan, and Mistral models. Compare on-demand vs provisioned throughput costs and learn when each makes sense.

Read article →
Back to glossary