100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Rate Limiting (Security)

BeginnerTechnique11.6K learners

Rate limiting, as a security control, is the practice of capping how many requests a client can make to a system within a given time window, in order to prevent abuse such as brute-force attacks, credential stuffing, denial-of-service, and…

Definition

Rate limiting, as a security control, is the practice of capping how many requests a client can make to a system within a given time window, in order to prevent abuse such as brute-force attacks, credential stuffing, denial-of-service, and API scraping.

Overview

Rate limiting is one of the oldest and most broadly applicable security controls: it does not try to distinguish good intent from bad, it simply constrains volume. If a login endpoint allows unlimited attempts, an attacker can try millions of password combinations; if it allows only five attempts per minute per account, brute-forcing becomes impractical. The same logic applies to APIs, form submissions, password reset flows, and any endpoint that could be abused at scale. Rate limiting can be applied at several granularities: per IP address, per authenticated user or API key, per endpoint, or globally across a service. Each has tradeoffs — per-IP limiting is easily evaded by attackers using botnets or proxy rotation, while per-account limiting is more resilient but requires the request to already carry an identity. Sophisticated systems combine multiple dimensions, for example limiting both by IP and by account, and apply progressively stricter limits (or CAPTCHAs) as suspicious behavior increases. Common algorithms used to implement rate limiting include the fixed window counter (simplest, but can allow bursts at window boundaries), sliding window log or sliding window counter (smoother but more resource-intensive), and the token bucket or leaky bucket algorithms, which allow controlled bursts while enforcing a steady average rate. The choice of algorithm affects both accuracy and the computational cost of enforcement at scale. Beyond stopping brute-force and denial-of-service attempts, rate limiting is a foundational defense against data scraping, API abuse for competitive intelligence, and resource exhaustion attacks where an attacker deliberately drives up an organization's infrastructure or third-party API costs. It is typically deployed at an API security gateway, load balancer, or CDN edge layer, and is often paired with bot detection to distinguish automated abuse from legitimate high-volume users.

Key Concepts

  • Caps the number of requests a client can make within a defined time window
  • Can be scoped per IP, per account, per API key, or per endpoint
  • Commonly implemented via token bucket, leaky bucket, or sliding window algorithms
  • Mitigates brute-force login attempts and credential stuffing
  • Reduces impact of denial-of-service and resource exhaustion attacks
  • Deters unauthorized data scraping and API abuse
  • Often paired with progressive penalties like CAPTCHAs or temporary blocks
  • Typically enforced at the gateway, load balancer, or CDN edge

Use Cases

Throttling login attempts to prevent brute-force password guessing
Limiting password reset requests to prevent account enumeration
Protecting public APIs from scraping and automated abuse
Preventing denial-of-service impact from traffic spikes
Controlling costs on metered third-party API calls
Slowing down credential stuffing attacks against authentication endpoints
Enforcing fair usage tiers in freemium SaaS products

Frequently Asked Questions

From the Blog