How to implement Rate Limiting in Laravel
Limiting the number of requests per minute sent to an application is often necessary to protect against attacks trying to saturate your server or to brute force authentication forms. That’s why Laravel comes with a rate limiting mechanism, which we will learn to use here.
There are two ways to implement rate limiting with Laravel:
- Using the Rate Limiter Middleware: to rate limiting incoming HTTP requests before reaching the controller
- Using the Rate Limiting abstraction: to interact more finely with the rate limiter at the controller level
In this article, we will see only the first implementation method, which is the use of the throttle middleware to setup a simple rate limit system.
Get started
The throttle middleware is made to protect routes against excessive reception of too many HTTP requests and restricting them once a limit has been reached.
To get started, you should start by defining the rate limiter configurations that your application needs. For that, go to the App\Providers\RouteServiceProvider class in the definition of the configureRateLimiting() method.
In the above example, we have defined a rate limiter called global which limits access to the routes associated with it to 1000 requests per minute.
You can create as many configurations as you want, with the names you want. We could for example imagine having global, downloads, chat to customise the limit depending on the routes.
Once you defined your rate limiters, you can apply them to routes you want to rate limite using the throttle middleware, as follows:
As you can see, you just need to pass a string containing throttle: followed by the name of the rate limiter you have defined.
For these routes, if the rate limit is reached, the application will return a “429 — Too Many Requests” response instead of serving the expected response.
⚠️ Be aware! If your application has an API using the api middleware group, by default the throttles:api middleware is applied on these routes as defined in the $middlewareGroups['api'] property of your App\Http\Kernel class. So you have to define a rate limiter called api or to remove it from the group.
Segmenting Rate Limits
Until now, as defined in our previous example, our rate limiters didn’t differentiate between users. They blocked the total number of requests received per minute by the application, from all users.
This is not very efficient, because it can block users who weren’t trying to flood the application. So it’s better to set a limit of requests per user. To accomplish it, you may use the by method when building your rate limiter:
Therefore, each user will only be able to access the associated routes 10 times per minute before being restricted.
What if we want to apply the rate limit to routes that don’t necessarily require authentication? Indeed, $request->user() could be null so it’s a good idea to use the IP address as well.
Authenticated users can now send 100 requests per minute while unauthenticated users can only send 20 requests per minute (their rate is associated with their IP address).
It looks pretty good! We now have an efficient configured rate limiter. Using the throttle middleware with the RateLimiter facade is awesome and enjoyable to use.
However, the RateLimiter is not only meant to be used with the throttle middleware, you can also use it in a more advanced way in your controllers for example. I invite you to consult the documentation to learn more about this.
I hope you enjoyed this post. Feel free to give it a clap! 👏
👋 I offer tech consulting services for companies that need help with their Laravel applications. I can assist with upgrades, refactoring, testing, new features, or building new apps. Feel free to contact me through LinkedIn, or you can find my email on my GitHub profile.
