速率限制
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/rate-limiting/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>
Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/rate-limiting/
Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/rate-limiting/)
Use the native HTML custom element.
定义
一种限制客户端在特定时间窗口内向API或服务器发送请求数量的技术。速率限制可防止滥用、暴力破解攻击和资源耗尽。
Why Rate Limiting Is Necessary
Without rate limiting, a single client can overwhelm an API with thousands of requests per second, degrading service for legitimate users or exhausting backend resources. Rate limiting enforces a maximum request rate — per IP, per user token, or per API key — providing protection against denial-of-service attacks, credential stuffing, and runaway client bugs.
Common Algorithms
Token Bucket grants a bucket of tokens that refills at a fixed rate; each request consumes a token. Burst traffic is allowed until the bucket empties. Fixed Window counts requests in discrete time windows (e.g., 1,000 requests per minute); simple but susceptible to boundary spikes. Sliding Window Log tracks exact timestamps of recent requests for precise limiting at the cost of higher memory usage. Leaky Bucket smooths traffic to a constant output rate regardless of input bursts, protecting downstream services.
Implementation Points
Rate limiting can be applied at multiple layers: the API GatewayA server that acts as a single entry point for multiple backend microservices, handling request routing, rate limiting, authentication, and protocol translation. Examples include Kong, AWS API Gateway, and Nginx., a Reverse ProxyA server that sits in front of backend servers, forwarding client requests and returning responses on their behalf. Used for SSL termination, load balancing, caching, and hiding the origin server's identity., or the application itself. Distributed systems using MicroservicesAn architectural style that structures an application as a collection of loosely coupled, independently deployable services, each responsible for a specific business function and communicating over APIs. need centralized rate limit state (Redis, Memcached) to prevent per-instance limits from being bypassed by spreading requests across nodes. Standard response headers — X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset — communicate quota status to clients. The HTTP Status CodesThree-digit codes returned by a web server indicating the result of a request. Organized into classes: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client error), and 5xx (server error). 429 Too Many Requests signals that the limit has been exceeded, along with a Retry-After header guiding clients on when to resume. Use HTTP Header Analyzer to inspect whether rate limit headers are being returned correctly.