Limitação de Taxa
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/rate-limiting/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>
Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/rate-limiting/
Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/rate-limiting/)
Use the native HTML custom element.
Definição
Uma técnica que restringe o número de solicitações que um cliente pode fazer a uma API ou servidor dentro de uma janela de tempo. A limitação de taxa protege contra abusos, ataques de força bruta e esgotamento de recursos.
Why Rate Limiting Is Necessary
Without rate limiting, a single client can overwhelm an API with thousands of requests per second, degrading service for legitimate users or exhausting backend resources. Rate limiting enforces a maximum request rate — per IP, per user token, or per API key — providing protection against denial-of-service attacks, credential stuffing, and runaway client bugs.
Common Algorithms
Token Bucket grants a bucket of tokens that refills at a fixed rate; each request consumes a token. Burst traffic is allowed until the bucket empties. Fixed Window counts requests in discrete time windows (e.g., 1,000 requests per minute); simple but susceptible to boundary spikes. Sliding Window Log tracks exact timestamps of recent requests for precise limiting at the cost of higher memory usage. Leaky Bucket smooths traffic to a constant output rate regardless of input bursts, protecting downstream services.
Implementation Points
Rate limiting can be applied at multiple layers: the API GatewayA server that acts as a single entry point for multiple backend microservices, handling request routing, rate limiting, authentication, and protocol translation. Examples include Kong, AWS API Gateway, and Nginx., a Reverse ProxyA server that sits in front of backend servers, forwarding client requests and returning responses on their behalf. Used for SSL termination, load balancing, caching, and hiding the origin server's identity., or the application itself. Distributed systems using MicroservicesAn architectural style that structures an application as a collection of loosely coupled, independently deployable services, each responsible for a specific business function and communicating over APIs. need centralized rate limit state (Redis, Memcached) to prevent per-instance limits from being bypassed by spreading requests across nodes. Standard response headers — X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset — communicate quota status to clients. The HTTP Status CodesThree-digit codes returned by a web server indicating the result of a request. Organized into classes: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client error), and 5xx (server error). 429 Too Many Requests signals that the limit has been exceeded, along with a Retry-After header guiding clients on when to resume. Use HTTP Header Analyzer to inspect whether rate limit headers are being returned correctly.