Rate Limiting

Web

Definition

A technique that restricts the number of requests a client can make to an API or server within a time window. Rate limiting protects against abuse, brute-force attacks, and resource exhaustion.

Why Rate Limiting Is Necessary

Without rate limiting, a single client can overwhelm an API with thousands of requests per second, degrading service for legitimate users or exhausting backend resources. Rate limiting enforces a maximum request rate — per IP, per user token, or per API key — providing protection against denial-of-service attacks, credential stuffing, and runaway client bugs.

Common Algorithms

Token Bucket grants a bucket of tokens that refills at a fixed rate; each request consumes a token. Burst traffic is allowed until the bucket empties. Fixed Window counts requests in discrete time windows (e.g., 1,000 requests per minute); simple but susceptible to boundary spikes. Sliding Window Log tracks exact timestamps of recent requests for precise limiting at the cost of higher memory usage. Leaky Bucket smooths traffic to a constant output rate regardless of input bursts, protecting downstream services.

Implementation Points

Rate limiting can be applied at multiple layers: the API GatewayA server that acts as a single entry point for multiple backend microservices, handling request routing, rate limiting, authentication, and protocol translation. Examples include Kong, AWS API Gateway, and Nginx., a Reverse ProxyA server that sits in front of backend servers, forwarding client requests and returning responses on their behalf. Used for SSL termination, load balancing, caching, and hiding the origin server's identity., or the application itself. Distributed systems using MicroservicesAn architectural style that structures an application as a collection of loosely coupled, independently deployable services, each responsible for a specific business function and communicating over APIs. need centralized rate limit state (Redis, Memcached) to prevent per-instance limits from being bypassed by spreading requests across nodes. Standard response headers — X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset — communicate quota status to clients. The HTTP Status CodesThree-digit codes returned by a web server indicating the result of a request. Organized into classes: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client error), and 5xx (server error). 429 Too Many Requests signals that the limit has been exceeded, along with a Retry-After header guiding clients on when to resume. Use HTTP Header Analyzer to inspect whether rate limit headers are being returned correctly.

Related Terms

More in Web