Home/Glossary/Rate Limiting

Rate Limiting

A technique to control the number of requests a user or system can make within a time window.

API SecurityAlso called: "throttling", "request limiting"

Rate limiting prevents abuse, ensures fair resource usage, and protects against attacks.

Common strategies

  • Fixed window: X requests per Y time period (simple but has burst issues).
  • Sliding window: Rolling time window (more accurate).
  • Token bucket: Accumulate tokens, spend on requests (allows bursts).
  • Leaky bucket: Fixed rate processing (smooths traffic).

Where applied

  • APIs: Prevent excessive calls (e.g., 1000/hour).
  • Login forms: Prevent brute force (e.g., 5/minute).
  • Public endpoints: Protect against DDoS.
  • Email sending: Prevent spam (e.g., 100/day).

Implementation

  • Store counters in Redis/Memcached.
  • Return 429 (Too Many Requests) status.
  • Include Retry-After header.
  • Provide rate limit headers (X-RateLimit-*).

User experience

  • Communicate limits clearly in documentation.
  • Provide feedback when limits are approached.
  • Offer higher tiers for legitimate high-volume users.

Related Tools

Related Articles

View all articles
📄

AI Gateway Guide: What They Are, Why You Need One, and How to Choose

A comprehensive guide to AI gateways — the proxy layer between your app and LLM providers. Compare Cloudflare AI Gateway, Portkey, Helicone, LiteLLM, AWS Bedrock, Azure APIM, and more across pricing, features, and architecture.

Read article →
📄

Serverless Showdown: Cloudflare Workers vs Lambda vs Cloud Functions vs Azure Functions

A deep technical comparison of serverless compute platforms — Cloudflare Workers, AWS Lambda, Google Cloud Functions, and Azure Functions — covering runtime architecture, cold starts, programming models, pricing, and the edge vs region debate.

Read article →
📄

Web Security Compared: Cloudflare vs AWS Shield/WAF vs Azure DDoS/WAF vs Google Cloud Armor

A deep technical comparison of web security platforms — DDoS protection, WAF, bot management, and API security across Cloudflare, AWS, Azure, and Google Cloud. Architecture, pricing, and when each approach wins.

Read article →
📄

Edge Databases Compared: Cloudflare D1/KV/Durable Objects vs DynamoDB vs Cosmos DB vs Firestore

A deep technical comparison of database services across Cloudflare, AWS, Azure, and Google Cloud — covering edge-native data stores, global NoSQL, consistency models, pricing, and when each architecture wins.

Read article →
Back to glossary