SaaS Fast Security
API Rate Limiting
Request rate limiting to protect your API endpoints from excessive requests.
Introduction
API rate limiting is essential for:
- Protecting server resources
- Preventing abuse
- Ensuring fair service usage
- Maintaining system stability
Implementation
We use a token bucket algorithm for rate limiting:
// Rate limit configuration
const RATE_LIMIT = {
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
};
// Example implementation
async function checkRateLimit(ip: string): Promise<boolean> {
const requests = await getRequestCount(ip);
return requests < RATE_LIMIT.max;
}
Limits by Endpoint
Different endpoints have different limits:
| Endpoint | Rate Limit | Window |
|---|---|---|
| /api/auth/* | 20 requests | 15 minutes |
| /api/user/* | 100 requests | 15 minutes |
| /api/public/* | 500 requests | 15 minutes |
Response Headers
Rate limit information is included in response headers:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 98
X-RateLimit-Reset: 1640995200
Error Response
When limits are exceeded:
{
"error": "Too Many Requests",
"message": "Rate limit exceeded. Please try again in 15 minutes.",
"retryAfter": 900
}
Monitoring
We monitor:
- Request patterns
- Rate limit violations
- System load
This helps us adjust limits and identify potential issues.
end