Rate limiting is a security and stability mechanism that restricts the number of requests a client can make to an application or API within a defined time window. By enforcing request thresholds, rate limiting defends against brute-force attacks, credential stuffing, denial of service, scraping, and other forms of automated abuse.
How It Works
Rate limiting tracks incoming requests and associates them with an identity, typically an IP address, API key, user session, or a combination of these identifiers. When the number of requests from a given identity exceeds the defined threshold within the time window, the server responds with an HTTP 429 (Too Many Requests) status code and rejects further requests until the window resets.
Implementation strategies vary. Fixed window rate limiting counts requests within static time intervals but can allow bursts at window boundaries. Sliding window approaches smooth out these bursts by continuously calculating the rate over a rolling time period. Token bucket and leaky bucket algorithms offer more sophisticated control, allowing brief bursts while maintaining a steady average rate. The choice depends on the specific use case and the tolerance for burst traffic.
Different endpoints often require different rate limits. A login endpoint might allow 5 attempts per minute to prevent brute-force attacks, while a search API might allow 100 requests per minute for normal usage. Password reset and one-time code verification endpoints require particularly strict limits because they are prime targets for enumeration and brute-force attacks. Rate limiting that is too permissive provides inadequate protection, while overly aggressive limits degrade the user experience for legitimate users.
Why It Matters
Absent or misconfigured rate limiting is a common finding in security assessments. Without it, attackers can launch unlimited brute-force attacks against login forms, enumerate valid usernames, exhaust one-time codes, and abuse resource-intensive operations to cause denial of service. Effective rate limiting is a fundamental defensive control that complements other security measures like account lockout policies and CAPTCHA challenges. It is particularly critical for APIs, which are often designed for programmatic access and are therefore easier to abuse at scale.
Need your application tested? Get in touch.