Rate Limiting
What is Rate Limiting?
Rate LimitingRate limiting caps the number of requests an identifier (IP, user, API key, or token) may make over a time window, protecting APIs and apps from abuse, scraping, and brute-force.
Rate limiting is a traffic-shaping control that enforces a maximum request count per identifier per interval, returning 429 Too Many Requests or queuing once the budget is exhausted. Common algorithms include token bucket (burst-tolerant, rate-stable), leaky bucket (smooths bursts into constant output), fixed window (simple but spikes at boundaries), and sliding window (more accurate, slightly costlier). Modern API gateways, CDNs, and WAFs implement multi-key rate limits (per IP, per user, per token, per endpoint) and combine them with bot management and credential-stuffing defenses. Rate limiting is the cheapest first line of defense against scraping, enumeration, brute-force login, and accidental client retry storms.
● Examples
- 01
Limiting a public login API to 10 requests per minute per IP to slow credential stuffing.
- 02
Token-bucket throttling on a search endpoint to absorb bursts but stop a scraper.
● Frequently asked questions
What is Rate Limiting?
Rate limiting caps the number of requests an identifier (IP, user, API key, or token) may make over a time window, protecting APIs and apps from abuse, scraping, and brute-force. It belongs to the Network Security category of cybersecurity.
What does Rate Limiting mean?
Rate limiting caps the number of requests an identifier (IP, user, API key, or token) may make over a time window, protecting APIs and apps from abuse, scraping, and brute-force.
How does Rate Limiting work?
Rate limiting is a traffic-shaping control that enforces a maximum request count per identifier per interval, returning 429 Too Many Requests or queuing once the budget is exhausted. Common algorithms include token bucket (burst-tolerant, rate-stable), leaky bucket (smooths bursts into constant output), fixed window (simple but spikes at boundaries), and sliding window (more accurate, slightly costlier). Modern API gateways, CDNs, and WAFs implement multi-key rate limits (per IP, per user, per token, per endpoint) and combine them with bot management and credential-stuffing defenses. Rate limiting is the cheapest first line of defense against scraping, enumeration, brute-force login, and accidental client retry storms.
How do you defend against Rate Limiting?
Defences for Rate Limiting typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Rate Limiting?
Common alternative names include: Throttling, API rate limit.
● Related terms
- network-security№ 291
DDoS Mitigation
DDoS mitigation is the set of techniques and services that absorb, filter, and re-route distributed denial-of-service attacks before they exhaust a target's network, infrastructure, or application capacity.
- network-security№ 118
Bot Management
Bot management is the practice of detecting automated traffic and distinguishing good bots from malicious ones, then allowing, challenging, or blocking each accordingly.
- network-security№ 1219
WAAP
WAAP (Web Application and API Protection) is the modern evolution of WAF, adding API security, bot management, and DDoS protection into a unified cloud service.
- appsec№ 052
API Security
The discipline of designing, building and operating application programming interfaces so that authentication, authorization, data exposure and abuse-resistance hold up under attack.
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- attacks№ 130
Brute Force Attack
An attack that systematically tries every possible value — typically passwords, PINs, or keys — until the correct one is found.
● See also
- № 144CAPTCHA
- № 151CDN Security
- № 008Account Enumeration
- № 1196Username Enumeration