Home/ Glossary/ Rate Limiting

Rate Limiting (Rate Limiting)

Security Glossary - Web Security

Definition: Rate limiting restricts the number of requests a client can make to a server within a specified time window. It protects against brute force attacks, credential stuffing, API abuse, and denial-of-service attempts by blocking or throttling clients that exceed the allowed request rate.

Why Rate Limiting Matters

Without rate limiting, attackers can make unlimited requests to your login endpoint (brute forcing passwords), API (consuming expensive resources or extracting data), or any endpoint (denial of service). Rate limiting makes these attacks impractical by limiting the attacker's throughput.

Effective rate limiting requires choosing the right identifier (IP address, API key, user account), the right limits (strict enough to stop attacks but permissive enough for legitimate use), and the right response (429 Too Many Requests with Retry-After header).

Common rate limiting strategies include: per-IP limits for login endpoints (e.g., 5 attempts per minute), per-API-key limits for API usage (e.g., 100 requests per minute), and progressive penalties (increasing delay after each failed attempt). For login endpoints, account lockout after N failed attempts adds another layer.

How to Check

A security audit evaluates rate limiting by checking response headers (X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After). For login endpoints, test whether rapid repeated requests are throttled. Cloud providers like Cloudflare offer built-in rate limiting.

Run a Security Audit

Frequently Asked Questions

What rate limits should I set?
It depends on the endpoint. Login endpoints: 5-10 attempts per minute per IP. Public API: 60-100 requests per minute per API key. Sensitive operations (password reset): 3-5 per hour. Start generous and tighten based on traffic patterns.
Can rate limiting block legitimate users?
Yes, if limits are too strict or if multiple users share an IP (corporate NATs, mobile carriers). Use multiple signals (IP + account + browser fingerprint) and implement gradual throttling rather than hard blocks. Always provide clear rate limit headers.

Related Terms

Brute Force Attack Denial of Service Attack Web Application Firewall Security Headers Overview Cross-Origin Resource Sharing
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.