DEV Community

Yasser Elgammal
Yasser Elgammal

Posted on

The Importance of Rate Limiting and How to Implement It in Laravel

#webdev #laravel #php #tutorial

What Happens When Your API Gets Flooded?

When an API receives too many requests in a short amount of time either from a single user or a large number of users.. it can:

  • Overload your server’s CPU and RAM،

  • Cause slowdowns or downtime،

  • Expose vulnerabilities to abuse or malicious attacks.

Servers have limited resources. Without protection, excessive requests can crash your system or degrade performance for all users.

The Solution is Rate Limiting

Rate Limiting is a technique that restricts the number of requests a client can make to an API in a given time window.

Why Use Rate Limiting?

  • Protect your server from overload

  • Prevent abuse and spam attacks,

  • Ensure fair usage across all users,

  • Enhance security against DDoS and brute-force attacks.

How to Implement Rate Limiting in Laravel

Laravel makes rate limiting simple using its built in middleware and features.

Basic Rate Limit with Middleware

Laravel uses throttle middleware to handle rate limits.

In routes/api.php:

Route::middleware('throttle:60,1')->group(function () {
    Route::get('/user', [UserController::class, 'index']);
    Route::post('/order', [OrderController::class, 'store']);
});
Enter fullscreen mode Exit fullscreen mode

This means:

A user can make 60 requests per minute.

Customizing Rate Limits Per User

You can create dynamic rate limits based on the authenticated user:

In App\Providers\RouteServiceProvider:

use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;

public function boot()
{
    RateLimiter::for('api', function ($request) {
        return Limit::perMinute(100)->by(optional($request->user())->id ?: $request->ip());
    });
}
Enter fullscreen mode Exit fullscreen mode

Then apply it to your route:

Route::middleware(['throttle:api'])->group(function () {
    // Protected routes
});
Enter fullscreen mode Exit fullscreen mode

Tips for Production

  • Monitor rate limits with tools like Laravel Telescope or API Gateway logs,

  • Show meaningful error messages for 429 Too Many Requests,

  • Combine with IP banning CAPTCHA or authentication for added protection.

Summary

Rate limiting isn’t just a performance technique, it's a security layer that protects your application and ensures a good experience for all users.

Top comments (0)