[{"data":1,"prerenderedAt":254},["ShallowReactive",2],{"blog-glossary/rate-limiting":3},{"id":4,"title":5,"body":6,"category":230,"date":231,"dateModified":231,"description":232,"draft":233,"extension":234,"faq":235,"featured":233,"headerVariant":239,"image":240,"keywords":240,"meta":241,"navigation":242,"ogDescription":243,"ogTitle":240,"path":244,"readTime":245,"schemaOrg":246,"schemaType":247,"seo":248,"sitemap":249,"stem":250,"tags":251,"twitterCard":252,"__hash__":253},"blog/blog/glossary/rate-limiting.md","What is Rate Limiting? API Protection",{"type":7,"value":8,"toc":220},"minimark",[9,16,21,24,28,63,67,86,90,157,161,167,189,208],[10,11,12],"tldr",{},[13,14,15],"p",{},"Rate limiting restricts how many requests a user can make in a given time period. Without it, attackers can brute force passwords, scrape your data, or overwhelm your servers. Common limits: 100 requests per minute for APIs, 5 login attempts per hour for auth endpoints. Return HTTP 429 when limits are exceeded.",[17,18,20],"h2",{"id":19},"the-simple-explanation","The Simple Explanation",[13,22,23],{},"Imagine your API as a coffee shop. Without rate limiting, one person could order 10,000 coffees per minute, blocking everyone else and exhausting your resources. Rate limiting says \"you can only order 10 coffees per minute, then you have to wait.\"",[17,25,27],{"id":26},"why-rate-limiting-matters","Why Rate Limiting Matters",[29,30,31,39,45,51,57],"ul",{},[32,33,34,38],"li",{},[35,36,37],"strong",{},"Brute force protection:"," Limit login attempts to prevent password guessing",[32,40,41,44],{},[35,42,43],{},"DDoS mitigation:"," Prevent single sources from overwhelming your server",[32,46,47,50],{},[35,48,49],{},"Cost control:"," Limit expensive operations (AI calls, SMS)",[32,52,53,56],{},[35,54,55],{},"Fair usage:"," Ensure all users get reasonable access",[32,58,59,62],{},[35,60,61],{},"Scraping prevention:"," Make bulk data extraction impractical",[17,64,66],{"id":65},"implementation-example","Implementation Example",[68,69,71,74,77,80,83],"prompt-box",{"title":70},"Express.js with express-rate-limit",[13,72,73],{},"import rateLimit from 'express-rate-limit';",[13,75,76],{},"const limiter = rateLimit({\nwindowMs: 15 * 60 * 1000, // 15 minutes\nmax: 100, // 100 requests per window\nmessage: { error: 'Too many requests, try again later' }\n});",[13,78,79],{},"app.use('/api/', limiter);",[13,81,82],{},"// Stricter limit for auth endpoints\nconst authLimiter = rateLimit({\nwindowMs: 60 * 60 * 1000, // 1 hour\nmax: 5, // 5 attempts per hour\n});",[13,84,85],{},"app.use('/api/login', authLimiter);",[17,87,89],{"id":88},"common-rate-limits","Common Rate Limits",[91,92,93,109],"table",{},[94,95,96],"thead",{},[97,98,99,103,106],"tr",{},[100,101,102],"th",{},"Endpoint Type",[100,104,105],{},"Suggested Limit",[100,107,108],{},"Reason",[110,111,112,124,135,146],"tbody",{},[97,113,114,118,121],{},[115,116,117],"td",{},"Login",[115,119,120],{},"5/hour per IP",[115,122,123],{},"Prevent brute force",[97,125,126,129,132],{},[115,127,128],{},"Password reset",[115,130,131],{},"3/hour per email",[115,133,134],{},"Prevent email bombing",[97,136,137,140,143],{},[115,138,139],{},"API endpoints",[115,141,142],{},"100/minute per user",[115,144,145],{},"Fair usage",[97,147,148,151,154],{},[115,149,150],{},"Signup",[115,152,153],{},"10/hour per IP",[115,155,156],{},"Prevent spam accounts",[17,158,160],{"id":159},"response-headers","Response Headers",[68,162,164],{"title":163},"Rate limit response headers",[13,165,166],{},"HTTP/1.1 429 Too Many Requests\nRetry-After: 3600\nX-RateLimit-Limit: 100\nX-RateLimit-Remaining: 0\nX-RateLimit-Reset: 1706140800",[168,169,170,177,183],"faq-section",{},[171,172,174],"faq-item",{"question":173},"What endpoints need rate limiting?",[13,175,176],{},"Prioritize login endpoints, password reset, signup, payment endpoints, and any endpoint that sends emails or SMS. These are targets for brute force attacks and abuse. Also rate limit expensive operations like search, file uploads, and AI API calls that cost money.",[171,178,180],{"question":179},"Should I rate limit by IP or by user?",[13,181,182],{},"Use both. IP-based limits protect public endpoints before login. User-based limits protect authenticated endpoints and prevent abuse by logged-in users. IP limiting alone fails when attackers use many IPs or when users share an IP (like corporate networks or VPNs).",[171,184,186],{"question":185},"What HTTP status code should rate limiting return?",[13,187,188],{},"Return 429 Too Many Requests when rate limited. Include a Retry-After header telling clients when they can try again. Good clients will respect this. Also consider returning X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers so clients can track their usage.",[190,191,192,198,203],"related-articles",{},[193,194],"related-card",{"description":195,"href":196,"title":197},"What rate limiting helps prevent","/blog/glossary/ddos","DDoS",[193,199],{"description":200,"href":201,"title":202},"Attack type rate limiting stops","/blog/glossary/brute-force","Brute Force",[193,204],{"description":205,"href":206,"title":207},"Where rate limiting is critical","/blog/glossary/authentication","Authentication",[209,210,213,217],"cta-box",{"href":211,"label":212},"/","Start Free Scan",[17,214,216],{"id":215},"check-your-rate-limiting","Check Your Rate Limiting",[13,218,219],{},"Scan your API for missing rate limits on sensitive endpoints.",{"title":221,"searchDepth":222,"depth":222,"links":223},"",2,[224,225,226,227,228,229],{"id":19,"depth":222,"text":20},{"id":26,"depth":222,"text":27},{"id":65,"depth":222,"text":66},{"id":88,"depth":222,"text":89},{"id":159,"depth":222,"text":160},{"id":215,"depth":222,"text":216},"glossary","2026-01-12","Learn what rate limiting is, why APIs need it, and how to implement it properly. Protect your app from abuse and DDoS attacks.",false,"md",[236,237,238],{"question":173,"answer":176},{"question":179,"answer":182},{"question":185,"answer":188},"green",null,{},true,"Rate limiting controls how many requests users can make. Learn why it matters.","/blog/glossary/rate-limiting","5 min read","[object Object]","DefinedTerm",{"title":5,"description":232},{"loc":244},"blog/glossary/rate-limiting",[],"summary_large_image","ksCO0hMFUKLkbVZ557LnKMpSJuKlQflvWgQwdku61xY",1775843921934]