Rate Limiting

Data & Formats Security Notes Jan 6, 2025 HTTP

Definition

Imagine you run a popular pizza shop. One day, a customer walks in and tries to order 10,000 pizzas just to see what happens. Your ovens would be overwhelmed, your staff couldn’t serve anyone else, and legitimate customers would leave angry. You need a rule: “Maximum 10 pizzas per customer per hour.” That’s rate limiting.

Rate limiting is a protection mechanism that controls how many requests a client can make to your API within a specific time window. It’s like a bouncer at a club who counts how many times each person has entered that night. Too many entries? You’re cut off until the counter resets.

Without rate limiting, a single user (whether malicious or just buggy) could monopolize your entire system. They could make millions of requests per second, crash your servers, run up your cloud bill, or deny service to everyone else. Rate limiting ensures fair access, protects your infrastructure, prevents abuse, and keeps costs predictable. It’s one of the most fundamental safety mechanisms in API design.

Example

Twitter/X API: Twitter limits how many tweets you can read per day, even with a premium account. If you hit that limit, you see “Rate limit exceeded” until the window resets. This prevents bots from scraping the entire platform and ensures regular users can still browse.

Login Attempts: Banks typically allow only 5 login attempts per 15 minutes. This prevents attackers from guessing passwords by trying millions of combinations. After 5 failures, you’re locked out temporarily - frustrating if you forgot your password, but essential for security.

Google Maps API: You might get 25,000 free map loads per day. If you build an app that goes viral unexpectedly, you hit that limit and users see “Map unavailable.” This protects Google from abuse and ensures you understand the costs before scaling.

Stripe Payment Processing: Stripe limits API calls to prevent a buggy integration from accidentally creating thousands of duplicate charges. Even if your code goes haywire, rate limiting stops it from charging customers repeatedly.

Email Sending Services: SendGrid limits how many emails you can send per hour. This prevents compromised accounts from sending spam, and ensures their infrastructure isn’t overwhelmed by one customer’s marketing blast.

Analogy

The All-You-Can-Eat Buffet: An all-you-can-eat restaurant is technically unlimited, but there are implicit limits. You can only eat so much, and if you tried to fill 50 takeout containers, you’d be asked to leave. Rate limiting is like making these rules explicit: “You can visit the buffet 10 times per hour, maximum 2 plates per visit.” This keeps the food available for everyone.

The Library Checkout Policy: Libraries limit how many books you can borrow (maybe 20 at a time) and how long you can keep them. Without these limits, one person could check out every book in the library and prevent others from reading anything. Rate limiting is the same concept for API access.

Highway On-Ramp Meters: During rush hour, some highways use traffic lights on entry ramps that only let one car through every few seconds. This rate limiting prevents the highway from becoming a parking lot. Sure, you might wait a bit to merge, but once you’re on, traffic actually flows. Without the meter, everyone tries to enter at once and everything stops.

The Bouncer’s Clicker: Club bouncers often use clickers to count how many people are inside. They have a maximum capacity and won’t let anyone new in until someone leaves. Rate limiting is the digital equivalent - tracking how many requests you’ve made and stopping you when you hit the limit.

Code Example


// Rate limit headers in response
[HTTP/1.1](https://reference.apios.info/terms/http-1-1/) 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 37
X-RateLimit-Reset: 1640995200

// When limit exceeded
HTTP/1.1 [429 Too Many Requests](https://reference.apios.info/terms/429-too-many-requests/)
Retry-After: 3600

{
  "error": "rate_limit_exceeded",
  "message": "Try again in 3600 seconds."
}

Security Notes

SECURITY NOTES

CRITICAL: Rate limiting prevents abuse but can be bypassed. Implement multiple strategies.

Rate Limit Strategies:

  • Per-IP: Limit requests per IP address
  • Per-user: Limit requests per authenticated user
  • Per-API key: Limit requests per API key
  • Global: Limit total requests across all clients
  • Combination: Use multiple strategies together

Rate Limit Implementation:

  • Token bucket: Allows burst traffic, recovers over time
  • Sliding window: More accurate but higher overhead
  • Fixed window: Simple but allows burst at window boundaries
  • Adaptive: Adjust limits based on server load
  • Distributed: Share rate limit state across servers

Response Headers:

  • RateLimit-Limit: Maximum requests in period
  • RateLimit-Remaining: Requests remaining in current period
  • RateLimit-Reset: Unix timestamp when limit resets
  • Retry-After: How long to wait before retrying (on 429)
  • X-RateLimit-*: Alternative non-standard headers

429 Too Many Requests:

  • Correct status code: Return 429 when rate limited
  • Retry-After header: Inform client when to retry
  • Meaningful message: Explain rate limit in response body
  • Don’t throttle forever: Eventually allow retries
  • Exponential backoff: Clients should use exponential backoff

Bypass & Abuse Prevention:

  • Distributed attack: Single IP limit doesn’t prevent distributed attacks
  • API key abuse: Rate limit per key prevents single compromised key
  • Authentication bypass: Rate limit unauthenticated requests aggressively
  • Cache validation: Rate limit based on cache status (hit vs miss)
  • Endpoint-specific: Different limits for different endpoints

Legitimate Use Cases:

  • Pagination: Don’t penalize pagination requests
  • Polling: Allow reasonable polling intervals
  • Batch operations: Allow larger requests for batch operations
  • File uploads: Increase limits for legitimate file uploads
  • Whitelist: Whitelist trusted clients (partners, internal services)

Monitoring & Alerts:

  • Track rate limit hits: Monitor which clients hit limits
  • Pattern detection: Detect unusual patterns (credential stuffing, enumeration)
  • Alert thresholds: Alert on high rate limit hit rates
  • Adaptive blocking: Block clients hitting limits repeatedly
  • Granular monitoring: Track rates per endpoint

Standards & RFCs

Standards & RFCs
1)RFC 6585- Additional [HTTP Status Codes](https://reference.apios.info/terms/http-status-codes/) (defines 429 Too Many Requests)
2)- IETF draft-ietf-httpapi-ratelimit-headers - RateLimit header fields for HTTP
3)RFC 7231- HTTP/1.1 Semantics and Content (Retry-After header)