DEV Community: Yaroslav Litvinov The latest articles on DEV Community by Yaroslav Litvinov (@iarie). https://dev.to/iarie https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3218149%2Fe1dbe0b2-e373-4e7e-b6f9-9d921a961e8e.jpeg DEV Community: Yaroslav Litvinov https://dev.to/iarie en Built-in Rate Limiting in Rails 8 Yaroslav Litvinov Wed, 28 May 2025 14:15:23 +0000 https://dev.to/iarie/built-in-rate-limiting-in-rails-8-1hch https://dev.to/iarie/built-in-rate-limiting-in-rails-8-1hch <p>Rails 8 comes with simple built-in RateLimiting feature</p> <h2> Basic usage </h2> <p>You can apply a basic rate limit in your controller with the rate_limit directive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">GreetingsController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">5</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">1</span><span class="p">.</span><span class="nf">minute</span><span class="p">,</span> <span class="ss">by: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">request</span><span class="p">.</span><span class="nf">ip</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">greet</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span><span class="ss">message: </span><span class="s2">"Hello, </span><span class="si">#{</span><span class="nb">name</span><span class="si">}</span><span class="s2">!"</span><span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">goodbye</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span><span class="ss">message: </span><span class="s2">"Bye, </span><span class="si">#{</span><span class="nb">name</span><span class="si">}</span><span class="s2">!"</span><span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">end</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">name</span> <span class="n">params</span><span class="p">.</span><span class="nf">require</span><span class="p">(</span><span class="ss">:name</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h2> Multiple named rate limits </h2> <p>use :name argument when using multiple rate limits<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">GreetingsController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">2</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">1</span><span class="p">.</span><span class="nf">second</span><span class="p">,</span> <span class="ss">by: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">request</span><span class="p">.</span><span class="nf">ip</span> <span class="p">},</span> <span class="ss">name: </span><span class="s2">"short-term"</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">1000</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">10</span><span class="p">.</span><span class="nf">minutes</span><span class="p">,</span> <span class="ss">by: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">request</span><span class="p">.</span><span class="nf">ip</span> <span class="p">},</span> <span class="ss">name: </span><span class="s2">"long-term"</span> <span class="k">def</span> <span class="nf">greet</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span><span class="ss">message: </span><span class="s2">"Hello, </span><span class="si">#{</span><span class="nb">name</span><span class="si">}</span><span class="s2">!"</span><span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">goodbye</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span><span class="ss">message: </span><span class="s2">"Bye, </span><span class="si">#{</span><span class="nb">name</span><span class="si">}</span><span class="s2">!"</span><span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">end</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">name</span> <span class="n">params</span><span class="p">.</span><span class="nf">require</span><span class="p">(</span><span class="ss">:name</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h2> Rate limits per action </h2> <p>assign limit to a specific action by using :only argument:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">GreetingsController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">5</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">1</span><span class="p">.</span><span class="nf">minute</span><span class="p">,</span> <span class="ss">by: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">request</span><span class="p">.</span><span class="nf">ip</span> <span class="p">},</span> <span class="ss">name: </span><span class="s2">"greet-limit"</span><span class="p">,</span> <span class="ss">only: :greet</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">6</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">70</span><span class="p">.</span><span class="nf">seconds</span><span class="p">,</span> <span class="ss">by: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">request</span><span class="p">.</span><span class="nf">ip</span> <span class="p">},</span> <span class="ss">name: </span><span class="s2">"bye-limit"</span><span class="p">,</span> <span class="ss">only: :goodbye</span> <span class="k">def</span> <span class="nf">greet</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span><span class="ss">message: </span><span class="s2">"Hello, </span><span class="si">#{</span><span class="nb">name</span><span class="si">}</span><span class="s2">!"</span><span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">goodbye</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span><span class="ss">message: </span><span class="s2">"Bye, </span><span class="si">#{</span><span class="nb">name</span><span class="si">}</span><span class="s2">!"</span><span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">end</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">name</span> <span class="n">params</span><span class="p">.</span><span class="nf">require</span><span class="p">(</span><span class="ss">:name</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h2> Adding Default Rate Limits </h2> <p>It's easy to extract the default rate limits into a module and include it in your controllers as default behavior.<br> We can use <code>with</code> option to define a custom error handler.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">module</span> <span class="nn">DefaultRateLimits</span> <span class="kp">extend</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">Concern</span> <span class="n">included</span> <span class="k">do</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">45</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">1</span><span class="p">.</span><span class="nf">minute</span><span class="p">,</span> <span class="ss">by: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">request</span><span class="p">.</span><span class="nf">ip</span> <span class="p">},</span> <span class="ss">name: </span><span class="s2">"long-term"</span><span class="p">,</span> <span class="ss">with: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">too_many_requests</span> <span class="p">}</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">3</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">2</span><span class="p">.</span><span class="nf">seconds</span><span class="p">,</span> <span class="ss">by: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">request</span><span class="p">.</span><span class="nf">ip</span> <span class="p">},</span> <span class="ss">name: </span><span class="s2">"short-term"</span><span class="p">,</span> <span class="ss">with: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">too_many_requests</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">too_many_requests</span><span class="p">(</span><span class="n">msg</span> <span class="o">=</span> <span class="kp">nil</span><span class="p">)</span> <span class="n">err</span> <span class="o">=</span> <span class="s2">"Rate limit exceeded."</span> <span class="k">if</span> <span class="n">msg</span> <span class="n">err</span> <span class="o">+=</span> <span class="s2">" </span><span class="si">#{</span><span class="n">msg</span><span class="si">}</span><span class="s2">."</span> <span class="k">end</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span><span class="ss">error: </span><span class="n">err</span><span class="p">},</span> <span class="ss">status: :too_many_requests</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>include DefaultRateLimits in your controller:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">GreetingsController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="kp">include</span> <span class="no">DefaultRateLimits</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">3</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">10</span><span class="p">.</span><span class="nf">minutes</span><span class="p">,</span> <span class="ss">by: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">request</span><span class="p">.</span><span class="nf">params</span><span class="p">[</span><span class="s2">"name"</span><span class="p">]</span> <span class="p">},</span> <span class="ss">name: </span><span class="s2">"greet-limit"</span><span class="p">,</span> <span class="ss">only: :greet</span><span class="p">,</span> <span class="ss">with: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">too_many_requests</span><span class="p">(</span><span class="s2">"Try again in 10 minutes"</span><span class="p">)</span> <span class="p">}</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">5</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">30</span><span class="p">.</span><span class="nf">minutes</span><span class="p">,</span> <span class="ss">by: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">request</span><span class="p">.</span><span class="nf">params</span><span class="p">[</span><span class="s2">"name"</span><span class="p">]</span> <span class="p">},</span> <span class="ss">name: </span><span class="s2">"goodbye-limit"</span><span class="p">,</span> <span class="ss">only: :goodbye</span><span class="p">,</span> <span class="ss">with: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">too_many_requests</span><span class="p">(</span><span class="s2">"Try again in 30 minutes"</span><span class="p">)</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">greet</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span><span class="ss">message: </span><span class="s2">"Hello, </span><span class="si">#{</span><span class="nb">name</span><span class="si">}</span><span class="s2">!"</span><span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">goodbye</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span><span class="ss">message: </span><span class="s2">"Bye, </span><span class="si">#{</span><span class="nb">name</span><span class="si">}</span><span class="s2">!"</span><span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">end</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">name</span> <span class="n">params</span><span class="p">.</span><span class="nf">require</span><span class="p">(</span><span class="ss">:name</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>These defaults apply to all actions unless overridden by more specific rate limits.</p> <p>In this example the 'greet' action will have 3 rate limits applied concurrently:</p> <ul> <li>short-term: ip-based</li> <li>long-term: ip-based</li> <li>greet-limit: payload-based (params[:name])</li> </ul> <h4> The 429 response will look like: </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Rate limit exceeded. Try again in 30 minutes."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Caching Strategies </h2> <p>Under the hood rate_limit uses Rails cache store (ActiveSupport::Cache)<br> We can override it by passing a custom store, e.g:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">APIController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="no">RATE_LIMIT_STORE</span> <span class="o">=</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">Cache</span><span class="o">::</span><span class="no">RedisCacheStore</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="ss">url: </span><span class="no">ENV</span><span class="p">[</span><span class="s2">"REDIS_URL"</span><span class="p">])</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">10</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">3</span><span class="p">.</span><span class="nf">minutes</span><span class="p">,</span> <span class="ss">store: </span><span class="no">RATE_LIMIT_STORE</span> <span class="k">end</span> </code></pre> </div> <p>In production environments, it's recommended to use distributed caching systems such as Redis or Memcached for better performance and scalability. For development purposes, you can use ActiveSupport::Cache::MemoryStore, which is simpler and runs in memory.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/application.rb or config/environments</span> <span class="n">config</span><span class="p">.</span><span class="nf">cache_store</span> <span class="o">=</span> <span class="ss">:memory_store</span><span class="p">,</span> <span class="p">{</span> <span class="ss">size: </span><span class="mi">64</span><span class="p">.</span><span class="nf">megabytes</span> <span class="p">}</span> </code></pre> </div> <h3> Testing </h3> <p>Internally rate limit cache key implemented as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">def</span> <span class="nf">rate_limiting</span><span class="p">(</span><span class="n">to</span><span class="p">:,</span> <span class="n">within</span><span class="p">:,</span> <span class="n">by</span><span class="p">:,</span> <span class="n">with</span><span class="p">:,</span> <span class="n">store</span><span class="p">:,</span> <span class="nb">name</span><span class="p">:)</span> <span class="n">cache_key</span> <span class="o">=</span> <span class="p">[</span><span class="s2">"rate-limit"</span><span class="p">,</span> <span class="n">controller_path</span><span class="p">,</span> <span class="nb">name</span><span class="p">,</span> <span class="n">instance_exec</span><span class="p">(</span><span class="o">&amp;</span><span class="n">by</span><span class="p">)].</span><span class="nf">join</span><span class="p">(</span><span class="s2">":"</span><span class="p">)</span> <span class="n">count</span> <span class="o">=</span> <span class="n">store</span><span class="p">.</span><span class="nf">increment</span><span class="p">(</span><span class="n">cache_key</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="ss">expires_in: </span><span class="n">within</span><span class="p">)</span> <span class="k">if</span> <span class="n">count</span> <span class="o">&amp;&amp;</span> <span class="n">count</span> <span class="o">&gt;</span> <span class="n">to</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">Notifications</span><span class="p">.</span><span class="nf">instrument</span><span class="p">(</span><span class="s2">"rate_limit.action_controller"</span><span class="p">,</span> <span class="ss">request: </span><span class="n">request</span><span class="p">)</span> <span class="k">do</span> <span class="n">instance_exec</span><span class="p">(</span><span class="o">&amp;</span><span class="n">with</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p><a href="https://github.com/rails/rails/blob/3235827585d87661942c91bc81f64f56d710f0b2/actionpack/lib/action_controller/metal/rate_limiting.rb#L61-L69" rel="noopener noreferrer">see rate_limiting.rb</a></p> <p>When testing your API you can set the cache counter manually. This allows you to simulate throttled requests without waiting for the limit to be naturally hit. In your request/controller spec:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">before</span> <span class="k">do</span> <span class="n">cache_key</span> <span class="o">=</span> <span class="p">[</span><span class="s2">"rate-limit"</span><span class="p">,</span> <span class="s2">"greetings"</span><span class="p">,</span> <span class="s2">"greet-limit"</span><span class="p">,</span> <span class="s2">"Rachel"</span><span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="s2">":"</span><span class="p">)</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">cache</span><span class="p">.</span><span class="nf">increment</span><span class="p">(</span><span class="n">cache_key</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="ss">expires_in: </span><span class="mi">1</span><span class="p">.</span><span class="nf">minutes</span><span class="p">)</span> <span class="k">end</span> <span class="n">it</span> <span class="s2">"returns 429"</span> <span class="k">do</span> <span class="c1"># Your test code here</span> <span class="k">end</span> </code></pre> </div> <p>Don't forget to reset the cache after each test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">after</span> <span class="k">do</span> <span class="n">cache_key</span> <span class="o">=</span> <span class="p">[</span><span class="s2">"rate-limit"</span><span class="p">,</span> <span class="s2">"greetings"</span><span class="p">,</span> <span class="s2">"greet-limit"</span><span class="p">,</span> <span class="s2">"Rachel"</span><span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="s2">":"</span><span class="p">)</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">cache</span><span class="p">.</span><span class="nf">delete</span><span class="p">(</span><span class="n">cache_key</span><span class="p">)</span> <span class="k">end</span> </code></pre> </div> <p>or in rails_helper:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="no">RSpec</span><span class="p">.</span><span class="nf">configure</span> <span class="k">do</span> <span class="o">|</span><span class="n">config</span><span class="o">|</span> <span class="n">config</span><span class="p">.</span><span class="nf">after</span><span class="p">(</span><span class="ss">:each</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">example</span><span class="o">|</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">cache</span><span class="p">.</span><span class="nf">clear</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h3> Summary </h3> <p>The RateLimiting module in Rails 8 offers a simple yet effective way to throttle requests, suitable for many applications from development through production.<br> It's easy to configure, helps prevent abuse, and integrates seamlessly with Rails controllers.<br> While ideal for most standard use cases, it may fall short in scenarios requiring dynamic rules, geo-based blocking, or distributed request coordination. For advanced rate limiting, consider libraries like <code>rack-attack</code>.</p> <h3> links: </h3> <ul> <li><a href="https://api.rubyonrails.org/classes/ActionController/RateLimiting/ClassMethods.html" rel="noopener noreferrer">https://api.rubyonrails.org/classes/ActionController/RateLimiting/ClassMethods.html</a></li> <li><a href="https://github.com/rack/rack-attack" rel="noopener noreferrer">https://github.com/rack/rack-attack</a></li> <li><a href="https://guides.rubyonrails.org/caching_with_rails.html" rel="noopener noreferrer">https://guides.rubyonrails.org/caching_with_rails.html</a></li> </ul> rails ratelimiting ruby api